Snyk failing in Pipeline due to jsonpath-plus issue - Githubissues

orval-labs / orval

orval is able to generate client with appropriate type-signatures (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification, either in yaml or json formats. 🍺

https://orval.dev

MIT License

2.94k stars 326 forks source link

Snyk failing in Pipeline due to jsonpath-plus issue #1661

Open GRenwickBrambles opened 5 days ago

GRenwickBrambles commented 5 days ago

What are the steps to reproduce this issue?

Run snyk test --severity-threshold=high on package after installing

What happens?

Issues with no direct upgrade or patch: ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884] in jsonpath-plus@6.0.1 introduced by orval@7.1.1 > @orval/angular@7.1.1 > @orval/core@7.1.1 > @ibm-cloud/openapi-ruleset@1.23.1 > @stoplight/spectral-formats@1.7.0 > @stoplight/spectral-core@1.19.1 > jsonpath-plus@7.1.0 and 1 other path(s) This issue was fixed in versions: 10.0.0

What were you expecting to happen?

Snyk to be fine with all Orval dependencies

Any logs, error output, etc?

https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

Any other comments?

What versions are you using?

npmPackages: axios: ^1.7.7 => 1.7.7 msw: ^2.4.9 => 2.4.9 orval: ^7.1.1 => 7.1.1

melloware commented 5 days ago

Updating depedencies of dependencies can be tricky but PR is welcome!

melloware commented 1 day ago

Mariscal6 commented 8 hours ago

it looks like the fix is there but not tagged yet

https://github.com/stoplightio/spectral/commit/5205058d1c9b48e6785b7744e2e2716cc7f1e0f4

melloware commented 5 hours ago

@Mariscal6 thanks for keeping your eye on it and let us know when its released so we can bump!