Skip to content

Fix critical and other audit issues #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2024
Merged

Fix critical and other audit issues #181

merged 1 commit into from
Oct 17, 2024

Conversation

siimsams
Copy link

@siimsams siimsams commented Oct 15, 2024
edited
Loading

Fixes the critical and rest of the audit issues in this project.

As I remember I was not supposed to upgrade the version of the package. This was left to the maintainer. Probably should be a breaking change due to node version requirements.

Checklist

  • DCO (Developer Certificate of Origin) signed in all commits
  • npm test passes on your machine
  • New tests added or existing tests modified to cover all changes
  • Code conforms with the style guide
  • Commit messages are following our guidelines

@siimsams siimsams requested a review from raymondfeng as a code owner October 15, 2024 12:18
@siimsams
Copy link
Author

siimsams commented Oct 15, 2024
edited
Loading

"jsonpath-plus": "^4.0.0", => "jsonpath-plus": "^10.0.0",

Here are all the breaking changes in this package change.

  • 10.0.0
    Requires Node 18+.
    Security fix: Now uses a safe VM by default in Node.
  • 9.0.0
    Removes the preventEval property; use eval: false instead.
    Changed behavior of the eval property: In browsers, eval or Function won’t be used by default, a safer subset of JavaScript will be used. To use unsafe eval, pass eval: "native".
  • 8.0.0
    Bumps Node engine requirement to 14.
  • 7.0.0
    Bumps Node engine requirement to 12.
  • 6.0.0
    True ESM module format is used.
    UMD and CJS builds now use the .cjs extension.
    ESM builds now use .js as the extension.
  • 5.0.0
    Breaking changes to paths:
    Node paths now use new dist files.
    Browser paths have changed to dist/index-browser-umd.js or dist/index-browser-es.js.
    Added type: 'commonjs' and exports for both import and require.

@siimsams siimsams changed the title Fix audit issues Fix critical and other audit issues Oct 16, 2024
@siimsams
Copy link
Author

siimsams commented Oct 16, 2024
edited
Loading

@raymondfeng, @dhmlau this is quite critical to do. https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

We get security alerts due to this in our repos using loopback.

@dhmlau
Copy link
Member

dhmlau commented Oct 17, 2024

@siimsams, thanks for the PR. The change LGTM. One minor thing is the commit lint error:

✖   subject may not be empty [subject-empty]
✖   type may not be empty [type-empty]

I'd suggest to have something like:
fix: audit issue

Thanks.

fix: audit issue
92c103a 
Signed-off-by: siimsams <[email protected]>
@siimsams
Copy link
Author

@dhmlau Thank you for reviewing. I fixed the issues listed above.

Just an idea. Maybe commit lint could also run with DCO.

@dhmlau dhmlau merged commit 2b40cc2 into loopbackio:master Oct 17, 2024
5 checks passed
@dhmlau
Copy link
Member

dhmlau commented Oct 17, 2024

@siimsams, your PR has been merged! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raymondfeng raymondfeng Awaiting requested review from raymondfeng raymondfeng is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@siimsams @dhmlau