Open xfated opened 2 weeks ago
Issue: The current stable release of rdme (8.6.6) is using an outdated version of the 'oas' package, which in turn depends on a vulnerable version of 'jsonpath-plus'.
Details:
The vulnerability in jsonpath-plus versions before 10.0.0 is related to Remote Code Execution (RCE) due to improper input sanitization. More information can be found here: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
Request: Could you please update the 'oas' dependency in rdme to use a version that includes the patched version of jsonpath-plus (10.0.0 or later)?
Impact: This vulnerability potentially exposes projects using rdme to security risks, especially if they're processing untrusted input.
Additional Notes:
Issue: The current stable release of rdme (8.6.6) is using an outdated version of the 'oas' package, which in turn depends on a vulnerable version of 'jsonpath-plus'.
Details:
The vulnerability in jsonpath-plus versions before 10.0.0 is related to Remote Code Execution (RCE) due to improper input sanitization. More information can be found here: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
Request: Could you please update the 'oas' dependency in rdme to use a version that includes the patched version of jsonpath-plus (10.0.0 or later)?
Impact: This vulnerability potentially exposes projects using rdme to security risks, especially if they're processing untrusted input.
Additional Notes: