search

orval-labs / orval

orval is able to generate client with appropriate type-signatures (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification, either in yaml or json formats. 🍺
https://orval.dev
MIT License
3.03k stars 333 forks source link

Security issue from Dependabot #1664

Open oyvindi opened 3 weeks ago

oyvindi commented 3 weeks ago

The following is reported from Dependabot (NPM also flags this as critical):

JSONPath Plus Remote Code Execution (RCE) Vulnerability

orval@7.1.1 requires jsonpath-plus@7.1.0 via a transitive dependency on @stoplight/spectral-core@1.19.1 orval@7.1.1 requires jsonpath-plus@^6.0.1 via a transitive dependency on nimma@0.2.2 No patched version available for jsonpath-plus

Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

melloware commented 3 weeks ago

Duplicate of https://github.com/orval-labs/orval/issues/1661

melloware commented 3 weeks ago

image