-
-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency jsonpath-plus to 10.0.0 due to vulnerability #1056
Conversation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.
…bility Signed-off-by: Nowacki, Kacper <kacper.nowacki@dynatrace.com>
Quality Gate passedIssues Measures |
@knowacki23 as of the changeset-bot, there will be no new version released as there is no changeset yet. I'm pretty sure this is not what you intend. |
@pjungermann - what needs to be done to unblock this PR/get a new release? I am getting this critical security issue flagged by automations and it'll shut down our CI/CD pipelines for my service and related services soon ... or is it better to create a new PR with the required changeset ? |
I'm not part of this project and just passed by due to the same vulnerability myself. The changeset-bot included links where you can find information on how to add a changeset, etc. Adding this as a new commit or amending your current commit, both are fine. A new PR is close to never required, I would say. |
I am not the original author and therefore can't amend this PR. @jonaslagoni @smoya - any chance you guys can amend/ add the changeset and review this PR? |
Opened #1058 which adds the changeset since there has been no activity on this pull request for over 2 weeks |
As #1058 had all the necessary changes, that was merged 🙏 |
Description
This is a simple dependency bump in parser of the jsonpath-plus dependency.
This dependency is vulnerable according to Snyk: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
As this is a non-major upgrade and I have not seen the vulnerability being mentioned anywhere in the repository I thought I'd open a PR for it.