Fix CVE in jsonpath-plus (again)

[soniqua]

Describe the bug
The jsonpath-plus dependency contains a critical CVE, even after upgrading to 10.0.0: CVE-2024-21534

The library has been fixed as of version 10.0.7 or higher.

There's an open dependabot PR for resolution.

** Client Version **
0.22.1

Environment (please complete the following information):

• NodeJS Client

Additional context

• Previous fix: Fix CVE in jsonpath-plus dep #1926

[timd73]

@mstruebing
Any idea on an ETA for a 0.22.x patch release?

[brendandburns]

No current eta, but probably within the week. fwiw, this library only uses this library for kubeconfig file loading. If you have malicious JSONPath in your kubeconfig, you have far worse problems than this RCE.

Also, unless your kubeconfig contains a jsonpath value you're not impacted by this CVE.

[timd73]

@brendandburns thanks for the update/ETA, and for the added info.

FWIW, I am not concerned about the actual vulnerability, as I'd gathered that it's not truly exploitable. Rather it's about making the vulnerability scanners happy (remind me, do we work for them, or they for us?).

But good to know about how it impacts this library - thanks again!