Open jrpomeroy opened 3 years ago
I am having difficulty building my repos without a good jsonlint, please fix quickly. Thanks!
Simple package.json which will reveal the problem with npm install
$ cat package.json
{
"name": "x3dvalidate",
"version": "1.0.0",
"private": true,
"dependencies": {
"jsonlint": "^1.6.3"
}
}
I have analzyed this vulnerability. Underscore is only dev dependency for building jsonlint.js by jison (https://github.com/zaach/jison). It is not used in production code. So I forked repository and created new version and published package under my scope. Look at https://www.npmjs.com/package/@sedlak.r/jsonlint. Hope it will help for someone.
My guess is that it would be resolved if we publish again the package on npm as version 1.6.4 This would taken into account the recent commits
https://github.com/zaach/jsonlint/pull/141
As noted in the PR, removing package-lock.json lets the package build without the vulnerable dependency.
And why this still remain unsolved? The issue has been created 3 years ago, no progress.
Any hope of getting a fix that replaces nomnom? It's deprecated and depends on a version of underscore that has a high severity vulnerability:
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984