chore(deps): update dependency jsonpath-plus to 10.0.0 due to vulnerability #13
Conversation
|
Could you please update the lockfile as well? |
…bility Signed-off-by: Nowacki, Kacper <[email protected]>
|
knowacki23
changed the title
|
Updated |
| "version": "8.1.0", | ||
| "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-8.1.0.tgz", | ||
| "integrity": "sha512-qVTiuKztFGw0dGhYi3WNqvddx3/SHtyDT0xJaeyz4uP0d1tkpG+0y5uYQ4OcIo1TLAz3PE/qDOW9F0uDt3+CTw==", | ||
| "version": "10.0.0", |
There was a problem hiding this comment.
Hi @knowacki23, could you please update again?
Your source reports that versions < 10.0.7 are affected. Thanks a lot 👍
There was a problem hiding this comment.
Wouldn't the semver ^10.0.0 pull in the newest 10.1.0 version? https://classic.yarnpkg.com/lang/en/docs/dependency-versions/#toc-caret-ranges
There was a problem hiding this comment.
To make the library build consistent and working with version 10.1.0, package-lock.json should also be updated (again) to show explicitly that it's using a version >= 10.0.7.
|
@johannesmarx I opened #14 with the requested changes. |
|
@knowacki23 thanks for the PR. |
|
@P0lip Would you mind doing a new release now that it is removed? |
|
I don't think we need to. |
This is a simple dependency bump of the jsonpath-plus dependency.
This dependency is vulnerable according to Snyk: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
As this is a non-major upgrade and I have not seen the vulnerability being mentioned anywhere in the repository I thought I'd open a PR for it.