sagold
commented
1 year ago Hi Ben.
Yes, I will take care if that. Thank you for the reminder.
Closed benjdlambert closed 1 year ago
sagold
commented
1 year ago Hi Ben.
Yes, I will take care if that. Thank you for the reminder.
benjdlambert
commented
1 year ago Nice thanks! Let me know if there's anything we can do to help! :pray:
sagold
commented
1 year ago json-schema-library is published with an upgraded gson-pointer dependency: v7.3.7.
Your issue should be solved.
benjdlambert
commented
1 year ago Thank you for the quick turnaround! :pray:
benjdlambert
commented
1 year ago @sagold it looks like the vulnerability is still there in the latest package however? Just tried with the latest 4.1.2 version and it's still possible to do prototype pollution with the latest version?
sagold
commented
1 year ago yes I see the problem now. Will be done soon.
benjdlambert
commented
1 year ago OK perfect! Thank you again! :pray:
sagold
commented
1 year ago Hi Ben.
gson-pointerwatch has been removed from gson-pointergson-pointer was published with v4.1.3In addition, a step which was overdue is to move gson-pointer package. This package will further be published under @sagold/json-pointer and is currently available with v5.0.0 (ahead of gson-pointer and includes the same patches).
Thus
v7.3.8 the dependency was replaced by @sagold/json-pointer@v5.0.0running yarn audit results in 0 vulnerabilities.
If I missed something, send me response.
benjdlambert
commented
1 year ago Perfect! thanks for turning this around for us quickly! Have a great day! :pray:
Hey :wave:
We've had a report that the
gson-pointerdependency has a vulnerability which I believe to be this one: https://github.com/sagold/gson-pointer/pull/3 but it seems that this library looks like it's not been updated in a while.Would it be possible to merge the suggested fix and deploy a new version of this library with the minimum version requirement to be the latest of
gson-pointer?Thanks for a great library!