JSON5 Vulnerability - Prototype Pollution in JSON5 via Parse Method

istanbuljs / nyc

the Istanbul command line interface

https://istanbul.js.org/

ISC License

5.59k stars 359 forks source link

JSON5 Vulnerability - Prototype Pollution in JSON5 via Parse Method #1505

Closed raQai closed 1 year ago

raQai commented 1 year ago

Link to bug demonstration repository

https://github.com/advisories/GHSA-9c47-m6qq-7p4h

Expected Behavior

Audit passing

Observed Behavior

Audit failing

Troubleshooting steps

% npm audit --audit-level=high

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

chungleu commented 1 year ago

Have you tried using a package resolution? or the npm equivalent 'overrides'? This lets you override a child dependency version without having to wait for a higher one to be updated.

We had the same issue with nyc and this seemed to work for us:

  "resolutions": {
    "nyc/istanbul-lib-instrument": "^5.2.1"
  },

raQai commented 1 year ago

Yea thanks for the advice :slightly_smiling_face: npm audit fix actually resolves the failure but I just wanted to open this issue since it was not yet addressed in nyc itself which it probably should :)

G-Rath commented 1 year ago

@raQai there is nothing for nyc to address as the vulnerability is a child dependency of a dependency they rely on whose constraints allow for a patched version to be used (since running npm audit fix successfully resolves the advisory) - nyc would only need to action this if that wasn't the case.

raQai commented 1 year ago

Thanks for clarifying @G-Rath :+1: