search

stoplightio / prism

Turn any OpenAPI2/3 and Postman Collection file into an API server with mocking, transformations and validations.
https://stoplight.io/open-source/prism
Apache License 2.0
4.29k stars 343 forks source link

Vulnerability in dependancy #2611

Open rory-ferguson opened 1 week ago

rory-ferguson commented 1 week ago

There is a vulnerability disclosed recently in a package this library is dependant on.

There is a PR to fix this here: https://github.com/json-schema-faker/json-schema-faker/pull/822

I am on @stoplight/prism-cli version 5.10.0

Vulnerability is disclosed here https://github.com/advisories/GHSA-pppg-cpfq-h7wr

# npm audit report

jsonpath-plus  <10.0.0
Severity: critical
JSONPath Plus Remote Code Execution (RCE) Vulnerability - https://github.com/advisories/GHSA-pppg-cpfq-h7wr
fix available via `npm audit fix --force`
Will install @stoplight/prism-cli@4.4.3, which is a breaking change
node_modules/jsonpath-plus
  json-schema-faker  0.5.0-rc1 - 0.5.0-rcv.46 || >=0.5.2
  Depends on vulnerable versions of jsonpath-plus
  node_modules/json-schema-faker
    @stoplight/prism-cli  *
    Depends on vulnerable versions of @stoplight/prism-http
    Depends on vulnerable versions of @stoplight/prism-http-server
    Depends on vulnerable versions of json-schema-faker
    node_modules/@stoplight/prism-cli
    @stoplight/prism-http  >=3.0.0-alpha.0
    Depends on vulnerable versions of json-schema-faker
    node_modules/@stoplight/prism-http
      @stoplight/prism-http-server  *
      Depends on vulnerable versions of @stoplight/prism-http
      node_modules/@stoplight/prism-http-server

5 critical severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
rory-ferguson commented 1 week ago

To be precise the vulnerability is present for the jsonpath-plus dependancy which is a dependency of json-schema-faker library that prism is dependant on.