Skip to content
This repository has been archived by the owner on Sep 29, 2023. It is now read-only.

Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - [email protected] - and is outdated #388

Open
akaustav opened this issue Mar 23, 2022 · 0 comments

Comments

@akaustav
Copy link

akaustav commented Mar 23, 2022

Hi @bahmutov / maintainers,

Summary

The @bahmutov/is-my-json-valid dependency of this repository contains (at least) one vulnerable sub-dependency - [email protected]. See this advisory about CVE-2021-23807 in the GitHub Advisory Database for details about the vulnerability.

My research so far

  1. This repository contains a dependency named @bahmutov/is-my-json-valid.

    "@bahmutov/is-my-json-valid": "2.17.3",

  2. The code for this dependency is hosted on this GitHub repository.

  3. Upon closer inspection, I found that the GitHub repository at bahmutov/is-my-json-valid was forked from the GitHub repository at mafintosh/is-my-json-valid (that has been published to the npm registry at is-my-json-valid) around April, 2018.

  4. As of today (Wednesday, March 23, 2022), the master branch of the forked repository bahmutov/is-my-json-valid is 2 commits ahead and 43 commits behind the master branch of it's base repository - mafintosh/is-my-json-valid. There is even an open Pull Request to merge the changes from these 2 commits into the base repository - fix: handle custom formats with null values mafintosh/is-my-json-valid#161.

  5. Meanwhile, both mafintosh/is-my-json-valid and consequently bahmutov/is-my-json-valid employ another sub-dependency - jsonpointer.

    1. In bahmutov/is-my-json-valid - see line 10 of package.json.

    2. In mafintosh/is-my-json-valid - see line 19 of package.json.

  6. A Moderate security vulnerability was found in [email protected]. The vulnerability has been documented at CVE-2021-23807 for details.

  7. The maintainer(s) of the node-jsonpointer repository fixed this issue via fix-prototype-pollution janl/node-jsonpointer#51. And later published a new major version - [email protected].

  8. After this, the maintainer(s) of mafintosh/is-my-json-valid upgraded to [email protected] via Upgrade jsonpointer to address security vulnerability mafintosh/is-my-json-valid#188.

  9. However, the forked repository - bahmutov/is-my-json-valid - has not been kept up to date with these new commits.

  10. Hence, every cypress repository employing any versions of the @cypress/schema-tools plugin until v4.7.9 inherit the same security vulnerability - CVE-2021-23807 - incoming from [email protected].

Please assist in fixing / patching this security vulnerability.
Or provide any suggestions about what users of this plugin should be doing in the interim.

NOTE: Technically, this issue belongs in https://github.com/bahmutov/is-my-json-valid repository. But that repository does NOT allow me to open an Issue (I don't see the "Issues" tab at the top). So, I am opening this issue here.

@akaustav akaustav changed the title Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency and is outdated Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - jsonpointer - and is outdated Mar 23, 2022
@akaustav akaustav changed the title Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - jsonpointer - and is outdated Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - [email protected] - and is outdated Mar 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant