@stoplightio/json-schema-sampler depends on json-pointer, which is vulnerable to CVE-2021-23820. json-pointer has not been updated in a year, Would it be possible for stoplight to remediate this by moving to another library?
To Reproduce
Install stoplight/elements 6 or 7, then run npm audit --production
Expected behavior
0 production vulnerabilities
Additional context
npm audit report
json-pointer
Severity: moderate
Prototype Pollution in json-pointer - https://github.com/advisories/GHSA-v5vg-g7rq-363w
fix available via npm audit fix --force
Will install @stoplight/elements@6.4.1, which is a breaking change
node_modules/json-pointer
@stoplight/json-schema-sampler
Depends on vulnerable versions of json-pointer
node_modules/@stoplight/json-schema-sampler
@stoplight/elements-core *
Depends on vulnerable versions of @stoplight/json-schema-sampler
node_modules/@stoplight/elements-core
@stoplight/elements >=6.0.0-alpha.1
Depends on vulnerable versions of @stoplight/elements-core
Depends on vulnerable versions of @stoplight/http-spec
node_modules/@stoplight/elements
Screenshots
none
Environment (remove any that are not applicable):
Worth noting: npm audit fix --force causes other stoplight problems.
Thank you for considering this!
Describe the bug
@stoplightio/json-schema-sampler depends on json-pointer, which is vulnerable to CVE-2021-23820. json-pointer has not been updated in a year, Would it be possible for stoplight to remediate this by moving to another library?
To Reproduce
Install stoplight/elements 6 or 7, then run npm audit --production
Expected behavior
0 production vulnerabilities
Additional context
npm audit report
json-pointer Severity: moderate Prototype Pollution in json-pointer - https://github.com/advisories/GHSA-v5vg-g7rq-363w fix available via
npm audit fix --force
Will install @stoplight/elements@6.4.1, which is a breaking change node_modules/json-pointer @stoplight/json-schema-sampler Depends on vulnerable versions of json-pointer node_modules/@stoplight/json-schema-sampler @stoplight/elements-core * Depends on vulnerable versions of @stoplight/json-schema-sampler node_modules/@stoplight/elements-core @stoplight/elements >=6.0.0-alpha.1 Depends on vulnerable versions of @stoplight/elements-core Depends on vulnerable versions of @stoplight/http-spec node_modules/@stoplight/elementsScreenshots none
Environment (remove any that are not applicable): Worth noting: npm audit fix --force causes other stoplight problems. Thank you for considering this!