mgrsskls
commented
2 years ago json-pointer has been updated to fix the vulnerability: https://github.com/manuelstofer/json-pointer/commit/931b0f9c7178ca09778087b4b0ac7e4f505620c2
Open AaronSterlingGENEICD opened 2 years ago
mgrsskls
commented
2 years ago json-pointer has been updated to fix the vulnerability: https://github.com/manuelstofer/json-pointer/commit/931b0f9c7178ca09778087b4b0ac7e4f505620c2
Describe the bug
@stoplightio/json-schema-sampler depends on json-pointer, which is vulnerable to CVE-2021-23820. json-pointer has not been updated in a year, Would it be possible for stoplight to remediate this by moving to another library?
To Reproduce
Install stoplight/elements 6 or 7, then run npm audit --production
Expected behavior
0 production vulnerabilities
Additional context
npm audit report
json-pointer Severity: moderate Prototype Pollution in json-pointer - https://github.com/advisories/GHSA-v5vg-g7rq-363w fix available via
npm audit fix --forceWill install @stoplight/elements@6.4.1, which is a breaking change node_modules/json-pointer @stoplight/json-schema-sampler Depends on vulnerable versions of json-pointer node_modules/@stoplight/json-schema-sampler @stoplight/elements-core * Depends on vulnerable versions of @stoplight/json-schema-sampler node_modules/@stoplight/elements-core @stoplight/elements >=6.0.0-alpha.1 Depends on vulnerable versions of @stoplight/elements-core Depends on vulnerable versions of @stoplight/http-spec node_modules/@stoplight/elementsScreenshots none
Environment (remove any that are not applicable): Worth noting: npm audit fix --force causes other stoplight problems. Thank you for considering this!