Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency jsonpath-plus to 10.0.0 due to vulnerability #1056

Closed
wants to merge 1 commit into from

Conversation

knowacki23
Copy link
Contributor

Description

This is a simple dependency bump in parser of the jsonpath-plus dependency.

This dependency is vulnerable according to Snyk: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
As this is a non-major upgrade and I have not seen the vulnerability being mentioned anywhere in the repository I thought I'd open a PR for it.

Copy link

changeset-bot bot commented Oct 14, 2024

⚠️ No Changeset found

Latest commit: cc05fe7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

…bility

Signed-off-by: Nowacki, Kacper <kacper.nowacki@dynatrace.com>
Copy link

@pjungermann
Copy link

@knowacki23 as of the changeset-bot, there will be no new version released as there is no changeset yet. I'm pretty sure this is not what you intend.

@195858
Copy link

195858 commented Oct 22, 2024

@knowacki23 as of the changeset-bot, there will be no new version released as there is no changeset yet. I'm pretty sure this is not what you intend.

@pjungermann - what needs to be done to unblock this PR/get a new release? I am getting this critical security issue flagged by automations and it'll shut down our CI/CD pipelines for my service and related services soon ... or is it better to create a new PR with the required changeset ?

@pjungermann
Copy link

I'm not part of this project and just passed by due to the same vulnerability myself.

The changeset-bot included links where you can find information on how to add a changeset, etc.

Adding this as a new commit or amending your current commit, both are fine. A new PR is close to never required, I would say.

@195858
Copy link

195858 commented Oct 22, 2024

@pjungermann

I am not the original author and therefore can't amend this PR.

@jonaslagoni @smoya - any chance you guys can amend/ add the changeset and review this PR?

@coreydaley
Copy link
Contributor

Opened #1058 which adds the changeset since there has been no activity on this pull request for over 2 weeks

@jonaslagoni
Copy link
Member

jonaslagoni commented Oct 28, 2024

As #1058 had all the necessary changes, that was merged 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants