Open GRenwickBrambles opened 5 days ago
Updating depedencies of dependencies can be tricky but PR is welcome!
it looks like the fix is there but not tagged yet
https://github.com/stoplightio/spectral/commit/5205058d1c9b48e6785b7744e2e2716cc7f1e0f4
@Mariscal6 thanks for keeping your eye on it and let us know when its released so we can bump!
What are the steps to reproduce this issue?
Run snyk test --severity-threshold=high on package after installing
What happens?
Issues with no direct upgrade or patch: ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884] in jsonpath-plus@6.0.1 introduced by orval@7.1.1 > @orval/angular@7.1.1 > @orval/core@7.1.1 > @ibm-cloud/openapi-ruleset@1.23.1 > @stoplight/spectral-formats@1.7.0 > @stoplight/spectral-core@1.19.1 > jsonpath-plus@7.1.0 and 1 other path(s) This issue was fixed in versions: 10.0.0
What were you expecting to happen?
Snyk to be fine with all Orval dependencies
Any logs, error output, etc?
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
Any other comments?
What versions are you using?
npmPackages: axios: ^1.7.7 => 1.7.7 msw: ^2.4.9 => 2.4.9 orval: ^7.1.1 => 7.1.1