Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus #1065

Open
2 tasks done
BenjaminSchwendner opened this issue Nov 21, 2024 · 3 comments
Open
2 tasks done
Labels
bug Something isn't working

Comments

@BenjaminSchwendner
Copy link

Describe the bug.

There is a vulnerability in jsonpath-plus on versions earlier than 10.0.7.
You already merged these two PRs (#1058, #1062), making the @asyncapi/parser package migrate to a safe version.
However, the @asyncapi/multi-parser package still depends on versions of @asyncapi/multi-parser (parserapiv1 as well as parserapiv2) that use older versions of jsonpath-plus (7.2.0).

Would it be possible to release patches for 2.1.0 and 3.0.0-next-major-spec.8 of @asyncapi/parser that use the safe version of jsonpath-plus and then make @asyncapi/multi-parser use these versions?

Expected behavior

@asyncapi/multi-parser should only rely on jsonpath-plus@>10.0.7

Screenshots

Here the (relevant) output of npm why jsonpath-plus after running npm install @asyncapi/multi-parser on a blank npm package:

jsonpath-plus@7.2.0
node_modules/parserapiv1/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv1@2.1.2
  node_modules/parserapiv1
    parserapiv1@"npm:@asyncapi/parser@^2.1.0" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

jsonpath-plus@7.2.0
node_modules/parserapiv2/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv2@3.0.0-next-major-spec.8
  node_modules/parserapiv2
    parserapiv2@"npm:@asyncapi/parser@3.0.0-next-major-spec.8" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

How to Reproduce

Install @asyncapi/multi-parser and find the versions of jsonpath-plus that got installed.

🥦 Browser

None

👀 Have you checked for similar open issues?

  • I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

Are you willing to work on this issue ?

None

@BenjaminSchwendner BenjaminSchwendner added the bug Something isn't working label Nov 21, 2024
Copy link

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

@6LpUkQSgQm
Copy link

Could you let me know when you expect to review the fix for this bug?

@derberg
Copy link
Member

derberg commented Dec 11, 2024

coming here from asyncapi/generator#1323

@jonaslagoni @magicmatatjahu @smoya any ideas how we could fix that? affected things are:

    "parserapiv1": "npm:@asyncapi/parser@^2.1.0",
    "parserapiv2": "npm:@asyncapi/parser@3.0.0-next-major-spec.8"

but damn, doing patches is a hell of a job

what about adding this to package.json:

"overrides": {
    "parserapiv1": {
      "jsonpath-plus": "^10.0.7"
    },
    "parserapiv2": {
      "jsonpath-plus": "^10.0.7"
    },
  }

since 7.2.0 changes were:

  • v8 only breaking change was node14 requirement
  • v9 changes to eval and evaluate
  • v10 node18 requirement

the only thing is that adding such override, we would need to release new major for multi-parser as for now in package.json we do not have any info about node version requirements. So we need new version and below:

  "engines": {
    "node": ">=18"
  }

@jonaslagoni @magicmatatjahu @smoya wdyt?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants