Open jrpomeroy opened 3 years ago
coderextreme
commented
3 years ago I am having difficulty building my repos without a good jsonlint, please fix quickly. Thanks!
Simple package.json which will reveal the problem with npm install
$ cat package.json
{
"name": "x3dvalidate",
"version": "1.0.0",
"private": true,
"dependencies": {
"jsonlint": "^1.6.3"
}
}
sedlakr
commented
3 years ago I have analzyed this vulnerability. Underscore is only dev dependency for building jsonlint.js by jison (https://github.com/zaach/jison). It is not used in production code. So I forked repository and created new version and published package under my scope. Look at https://www.npmjs.com/package/@sedlak.r/jsonlint. Hope it will help for someone.
lrntgt
commented
3 years ago My guess is that it would be resolved if we publish again the package on npm as version 1.6.4 This would taken into account the recent commits
christopherwood
commented
2 years ago https://github.com/zaach/jsonlint/pull/141
As noted in the PR, removing package-lock.json lets the package build without the vulnerable dependency.
doniz
commented
7 months ago And why this still remain unsolved? The issue has been created 3 years ago, no progress.
Any hope of getting a fix that replaces nomnom? It's deprecated and depends on a version of underscore that has a high severity vulnerability:
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984