search

sdawood / json-tots

JSON Template of Templates
MIT License
9 stars 4 forks source link

found 1 moderate severity vulnerability #1

Closed terehov closed 5 years ago

terehov commented 6 years ago

Awesome library, I was looking for something like that for a whiel and was just about to start writing my own one :-)

When installing I get the following error from the jsonpath dependency you are using: 

│ Moderate      │ Sandbox Breakout / Arbitrary Code Execution                  │
├───────────────┼─────────────────────────────
│ Package       │ static-eval                                                  │
├───────────────┼─────────────────────────────
│ Patched in    │ >=2.0.0                                                      │
├───────────────┼─────────────────────────────
│ Dependency of │ json-tots                                                    │
├───────────────┼─────────────────────────────
│ Path          │ json-tots > jsonpath > static-eval                           │
├───────────────┼─────────────────────────────
│ More info     │ https://nodesecurity.io/advisories/548                       │
sdawood commented 6 years ago

Thanks for the encouragement

Now I've been seeing those everywhere lately, my guess is that npm has recently been calling 'npm audit' when it does 'npm install'

A call to 'npm audit' fix' bumps your packages forward as much as your semVer pattern allows it, and you would get rid of most of the errors, since the fixes are mostly 'patch' version bumps.

Please open that issue in the jspon path GitHub repo, and I'm sure David @dchester would respond in a timely fashion, I'll bump my dependencies accordingly.

sdawood commented 6 years ago

Also I'm currently happy to also accept issues of the "Feature Request" falvor, feel free to add some of those using the "feature" label to distinguish them from the rest.