From cc05fe7306d0868688256fb07fe61eaf1b914857 Mon Sep 17 00:00:00 2001 From: knowacki23 Date: Mon, 14 Oct 2024 10:35:07 +0200 Subject: [PATCH 1/2] chore(deps): update dependency jsonpath-plus to 10.0.0 due to vulnerability Signed-off-by: Nowacki, Kacper --- package-lock.json | 34 ++++++++++++++++++++++++++++++++-- packages/parser/package.json | 2 +- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 666363482..1ab6f665e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1271,6 +1271,18 @@ "@jridgewell/sourcemap-codec": "^1.4.14" } }, + "node_modules/@jsep-plugin/assignment": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/@jsep-plugin/assignment/-/assignment-1.2.1.tgz", + "integrity": "sha512-gaHqbubTi29aZpVbBlECRpmdia+L5/lh2BwtIJTmtxdbecEyyX/ejAOg7eQDGNvGOUmPY7Z2Yxdy9ioyH/VJeA==", + "license": "MIT", + "engines": { + "node": ">= 10.16.0" + }, + "peerDependencies": { + "jsep": "^0.4.0||^1.0.0" + } + }, "node_modules/@jsep-plugin/regex": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/@jsep-plugin/regex/-/regex-1.0.3.tgz", @@ -12219,7 +12231,7 @@ }, "packages/parser": { "name": "@asyncapi/parser", - "version": "3.2.2", + "version": "3.3.0", "license": "Apache-2.0", "dependencies": { "@asyncapi/specs": "^6.8.0", @@ -12239,7 +12251,7 @@ "ajv-formats": "^2.1.1", "avsc": "^5.7.5", "js-yaml": "^4.1.0", - "jsonpath-plus": "^7.2.0", + "jsonpath-plus": "^10.0.0", "node-fetch": "2.6.7" }, "devDependencies": { @@ -12281,6 +12293,24 @@ "undici-types": "~5.26.4" } }, + "packages/parser/node_modules/jsonpath-plus": { + "version": "10.0.0", + "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.0.0.tgz", + "integrity": "sha512-v7j76HGp/ibKlXYeZ7UrfCLSNDaBWuJMA0GaMjA4sZJtCtY89qgPyToDDcl2zdeHh4B5q/B3g2pQdW76fOg/dA==", + "license": "MIT", + "dependencies": { + "@jsep-plugin/assignment": "^1.2.1", + "@jsep-plugin/regex": "^1.0.3", + "jsep": "^1.3.9" + }, + "bin": { + "jsonpath": "bin/jsonpath-cli.js", + "jsonpath-plus": "bin/jsonpath-cli.js" + }, + "engines": { + "node": ">=18.0.0" + } + }, "packages/parser/node_modules/undici-types": { "version": "5.26.5", "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", diff --git a/packages/parser/package.json b/packages/parser/package.json index 1128ad916..fd02ae9eb 100644 --- a/packages/parser/package.json +++ b/packages/parser/package.json @@ -59,7 +59,7 @@ "ajv-formats": "^2.1.1", "avsc": "^5.7.5", "js-yaml": "^4.1.0", - "jsonpath-plus": "^7.2.0", + "jsonpath-plus": "^10.0.0", "node-fetch": "2.6.7" }, "devDependencies": { From a43930a4cfcb36002db40ac5eef6b2f95d6603a0 Mon Sep 17 00:00:00 2001 From: Corey Daley Date: Mon, 28 Oct 2024 09:54:34 -0400 Subject: [PATCH 2/2] adding changeset --- .changeset/new-ears-clap.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .changeset/new-ears-clap.md diff --git a/.changeset/new-ears-clap.md b/.changeset/new-ears-clap.md new file mode 100644 index 000000000..93a5e2b4e --- /dev/null +++ b/.changeset/new-ears-clap.md @@ -0,0 +1,6 @@ +--- +"@asyncapi/multi-parser": minor +"@asyncapi/parser": minor +--- + +Updating jsonpath-plus dependency to mitigate CVE-2024-21534