Package is dependent on vulnerable versions of json5

dividab / tsconfig-paths

Load node modules according to tsconfig paths, in run-time or via API.

MIT License

1.82k stars 104 forks source link

Package is dependent on vulnerable versions of json5 #233

Closed PythonCoderAS closed 1 year ago

PythonCoderAS commented 1 year ago

According to npm audit:

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      eslint-config-airbnb-base  >=15.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/eslint-config-airbnb-base
        eslint-config-airbnb-typescript  >=16.0.0
        Depends on vulnerable versions of eslint-config-airbnb-base
        Depends on vulnerable versions of eslint-plugin-import
        node_modules/eslint-config-airbnb-typescript

PythonCoderAS commented 1 year ago

Fixed by #232

jongolden commented 1 year ago

Could we get a patch for 3.x as well? It's still dependent on json5@1.0.1

mihaiplesa commented 1 year ago

https://github.com/dividab/tsconfig-paths/pull/234 would fix for v3 but needs a dedicated branch to be created from the v3.14.2 tag. Then I can change the base branch in my PR.

chrisweb commented 1 year ago

@jonaskello do you have an objection to make a v3.14.2 branch for tsconfig-paths, in which JSON5 would get bumped to v1.0.2 using mihaiplesa PR: https://github.com/dividab/tsconfig-paths/pull/234?

This would be great because when that's done, then eslint-plugin-import could bump their version of tsconfig-paths from v3.14.1 to v3.14.2 (they don't want to use tsconfig-paths v4 as it would be a breaking change, so a tsconfig-paths v3.x would make sense in my opinion, see their full explanation here: https://github.com/import-js/eslint-plugin-import/issues/2712#issuecomment-1424705192)

@mihaiplesa maybe update your PRs title to "bump JSON5 from v1.0.1 to v1.0.2 in tsconfig-paths v3.14.1 to fix CVE-2022-46175" to make it clearer that this is a new PR that is different from the PR for tsconfig-paths v4.1.1 https://github.com/dividab/tsconfig-paths/pull/232

after that I guess this ticket could get closed

jonaskello commented 1 year ago

Released now in 3.14.2

dhermes commented 1 year ago

I just merged a change to upgrade to tsconfig-paths@3.14.2 (and transitively to json5@1.0.2). However the Dependabot alert did not resolve due to:

The earliest fixed version is 2.2.2.

I don't know the specific details on the json5 side of things, but I'm not sure json5@1.0.2 is considered valid/maintained?

PythonCoderAS commented 1 year ago

According to the github report 1.0.2 is also valid. I think this might be a bug in dependabot.

chrisweb commented 1 year ago

Released now in 3.14.2

thank you