Closed benjdlambert closed 1 year ago
Hi Ben.
Yes, I will take care if that. Thank you for the reminder.
Nice thanks! Let me know if there's anything we can do to help! :pray:
json-schema-library is published with an upgraded gson-pointer dependency: v7.3.7
.
Your issue should be solved.
Thank you for the quick turnaround! :pray:
@sagold it looks like the vulnerability is still there in the latest package however? Just tried with the latest 4.1.2 version and it's still possible to do prototype pollution with the latest version?
yes I see the problem now. Will be done soon.
OK perfect! Thank you again! :pray:
Hi Ben.
gson-pointer
watch
has been removed from gson-pointer
gson-pointer
was published with v4.1.3
In addition, a step which was overdue is to move gson-pointer
package. This package will further be published under @sagold/json-pointer
and is currently available with v5.0.0
(ahead of gson-pointer and includes the same patches).
Thus
v7.3.8
the dependency was replaced by @sagold/json-pointer@v5.0.0
running yarn audit
results in 0 vulnerabilities.
If I missed something, send me response.
Perfect! thanks for turning this around for us quickly! Have a great day! :pray:
Hey :wave:
We've had a report that the
gson-pointer
dependency has a vulnerability which I believe to be this one: https://github.com/sagold/gson-pointer/pull/3 but it seems that this library looks like it's not been updated in a while.Would it be possible to merge the suggested fix and deploy a new version of this library with the minimum version requirement to be the latest of
gson-pointer
?Thanks for a great library!