You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 29, 2023. It is now read-only.
Please assist in fixing / patching this security vulnerability.
Or provide any suggestions about what users of this plugin should be doing in the interim.
The text was updated successfully, but these errors were encountered:
akaustav
changed the title
Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency and is outdated
Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - jsonpointer - and is outdated
Mar 23, 2022
akaustav
changed the title
Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - jsonpointer - and is outdated
Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - [email protected] - and is outdated
Mar 23, 2022
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi @bahmutov / maintainers,
Summary
The
@bahmutov/is-my-json-valid
dependency of this repository contains (at least) one vulnerable sub-dependency -[email protected]
. See this advisory aboutCVE-2021-23807
in the GitHub Advisory Database for details about the vulnerability.My research so far
This repository contains a dependency named
@bahmutov/is-my-json-valid
.schema-tools/package.json
Line 34 in b0d1a36
The code for this dependency is hosted on this GitHub repository.
Upon closer inspection, I found that the GitHub repository at
bahmutov/is-my-json-valid
was forked from the GitHub repository atmafintosh/is-my-json-valid
(that has been published to thenpm
registry atis-my-json-valid
) around April, 2018.As of today (Wednesday, March 23, 2022), the
master
branch of the forked repositorybahmutov/is-my-json-valid
is 2 commits ahead and 43 commits behind themaster
branch of it's base repository -mafintosh/is-my-json-valid
. There is even an open Pull Request to merge the changes from these 2 commits into the base repository - fix: handle custom formats with null values mafintosh/is-my-json-valid#161.Meanwhile, both
mafintosh/is-my-json-valid
and consequentlybahmutov/is-my-json-valid
employ another sub-dependency -jsonpointer
.In
bahmutov/is-my-json-valid
- see line 10 ofpackage.json
.In
mafintosh/is-my-json-valid
- see line 19 ofpackage.json
.A Moderate security vulnerability was found in
[email protected]
. The vulnerability has been documented at CVE-2021-23807 for details.The maintainer(s) of the
node-jsonpointer
repository fixed this issue via fix-prototype-pollution janl/node-jsonpointer#51. And later published a new major version -[email protected]
.After this, the maintainer(s) of
mafintosh/is-my-json-valid
upgraded to[email protected]
via Upgrade jsonpointer to address security vulnerability mafintosh/is-my-json-valid#188.However, the forked repository -
bahmutov/is-my-json-valid
- has not been kept up to date with these new commits.Hence, every cypress repository employing any versions of the
@cypress/schema-tools
plugin until v4.7.9 inherit the same security vulnerability - CVE-2021-23807 - incoming from[email protected]
.Please assist in fixing / patching this security vulnerability.
Or provide any suggestions about what users of this plugin should be doing in the interim.
The text was updated successfully, but these errors were encountered: