Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: EXT-2825 upgrade jsonpath to fix critical vuln #687

Merged
merged 1 commit into from
Feb 19, 2025
Merged

chore: EXT-2825 upgrade jsonpath to fix critical vuln #687

merged 1 commit into from
Feb 19, 2025

Conversation

acaprar
Copy link
Contributor

@acaprar acaprar commented Feb 18, 2025
edited
Loading

We have a Critical sev in sweater-comb:
Screenshot 2025-02-18 at 10 49 12

Because of this, other projects are affected.

In order to fix it, we need to upgrade jsonpath-plus to 10.3.0

@CLAassistant
Copy link

CLAassistant commented Feb 18, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@acaprar acaprar force-pushed the chore/EXT-2825-upgrade-jsonpath branch from 0e099d2 to 2e84b31 Compare February 18, 2025 08:46
acaprar
acaprar commented Feb 18, 2025
View reviewed changes
package.json
@@ -67,7 +67,8 @@
"yargs": "~17.6.0"
},
"overrides": {
"postman-collection": "4.2.0"
"postman-collection": "4.2.0",
"jsonpath-plus": "^10.3.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we run npm ci in our test pipeline, package.json and package-lock.json need to be in sync other

@acaprar acaprar marked this pull request as ready for review February 18, 2025 08:53
@acaprar acaprar requested a review from a team as a code owner February 18, 2025 08:53
jgresty
jgresty reviewed Feb 18, 2025
View reviewed changes
package-lock.json
@@ -5393,15 +5393,6 @@
"openid-client": "^5.3.0"
}
},
"node_modules/@kubernetes/client-node/node_modules/jsonpath-plus": {
"version": "7.2.0",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a big version change, are you sure this isn't going to break something?

Copy link
Contributor Author

@acaprar acaprar Feb 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from the tests it seems to be fine, but if you think the tests do not cover all scenarios then we could set jsonpath to 10.3.0 except for @kubernetes/client-node || update @kubernetes/client-node

@acaprar acaprar merged commit 859d8e8 into main Feb 19, 2025
7 checks passed
@acaprar acaprar deleted the chore/EXT-2825-upgrade-jsonpath branch February 19, 2025 09:17
@snyksec
Copy link

snyksec commented Feb 27, 2025

🎉 This PR is included in version 3.5.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgresty jgresty jgresty approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@acaprar @CLAassistant @snyksec @jgresty