Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1544 update jsonpath package #1545

Closed
wants to merge 2 commits into from
Closed

1544 update jsonpath package #1545

wants to merge 2 commits into from

Conversation

milanmayr
Copy link

Update jsonpath package to remediate CVE-2024-21534

@milanmayr
Copy link
Author

milanmayr commented Oct 10, 2024
edited
Loading

resolves #1544

@rick-aguayo
Copy link

What is the timeframe for this PR to get reviewed, approved and merged?

@jaredperreault-okta
Copy link
Contributor

We are working on upgrading jsonpath-plus, however our current usage of already disables eval

POC: 7ab2f4e#diff-9e03680efb5f8da7b469de8eb39f499e8e696a20f9085319dbb4d7a17e794717R14

@jaredperreault-okta jaredperreault-okta mentioned this pull request Oct 15, 2024
Closed
@chaitanyareddy-mula
Copy link

chaitanyareddy-mula commented Oct 16, 2024
edited
Loading

Hey @milanmayr, will there be any breaking change if i override the "jsonpath-plus" to ^10.0.0 in order to mitigate the risk in my project until the fix is merged?

@milanmayr
Copy link
Author

Hey @milanmayr, will there be any breaking change if i override the "jsonpath-plus" to ^10.0.0 in order to mitigate the risk in my project until the fix is merged?

Yes, I believe so, because in the newer version, the preventEval option has been changed to eval

@milanmayr
Copy link
Author

We are working on upgrading jsonpath-plus, however our current usage of already disables eval

POC: 7ab2f4e#diff-9e03680efb5f8da7b469de8eb39f499e8e696a20f9085319dbb4d7a17e794717R14

@jaredperreault-okta considering y'all are already working on this, should I abandon this PR and let all discussion continue in #1544 ?

@jaredperreault-okta
Copy link
Contributor

@chaitanyareddy-mula Yes. jsonpath-plus@10.0.0 requires node 18+ and the API signature has changed

@milanmayr
Copy link
Author

This PR is closed -- work on this can be followed at 7ab2f4e#diff-9e03680efb5f8da7b469de8eb39f499e8e696a20f9085319dbb4d7a17e794717R14

@milanmayr milanmayr deleted the 1544-update-jsonpath-package branch October 16, 2024 17:53
@jaredperreault-okta
Copy link
Contributor

Addressed in 7.8.1 (released on npm)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@milanmayr @rick-aguayo @jaredperreault-okta @chaitanyareddy-mula @mmayr-sgfy