[Bug] Prototype Pollution in JSON5 via Parse Method

[apalski]

Could be bump the tsconfig-paths version to fix the json5 vulnerability please
https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856

[ljharb]

It's not a bug, and it's not a vulnerability.

This has been discussed in #2447 - tsconfig-paths can not be upgraded, because it's a breaking change.

Also, it's not actually vulnerable, and this is also a duplicate of #2625, and a duplicate of #2626, and a duplicate of #2627.

[apalski]

Thanks for all the info Jordan. Sorry to waste your time, I did hunt using json5 and looked through the issues & PRs for a few months. Will dig deeper next time Cheers Annette Annette Drapalski Software Engineer QANTAS HOTELS - QANTAS LOYALTY E. ***@***.*** ***@***.***> I *acknowledge the Traditional Owners and Custodians of the land on which I live and work -* the Gundungurra Clan* - and pay my respect to Elders past, present and emerging.* [image: Qantas Hotels] Powering qantas.com/hotels <https://www.qantas.com/hotels>and jetstar.com/hotels <https://www.jetstar.com/hotels> *We work flexibly at Qantas Loyalty. If you receive an email from me outside of normal business hours, I'm sending it at a time that suits me. Unless it's urgent, I'm not expecting you to read or reply until normal business hours.* This e-mail is intended only to be read or used by the addressee. It is confidential and may contain legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply e-mail. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.

…

On Fri, 30 Dec 2022 at 18:39, Jordan Harband ***@***.***> wrote: Closed #2628 <https://urldefense.com/v3/__https://github.com/import-js/eslint-plugin-import/issues/2628__;!!PUxuPyJo!3vKcU_9Hu_agHQU2PCw7zDFd8V_1aKFg974dcMAs8otSOCiz97cWHVRj81g77rqY4blaSJNUPhGOAb930L2R5VyQ_O7hAXqJsr8$> as not planned. — Reply to this email directly, view it on GitHub <https://urldefense.com/v3/__https://github.com/import-js/eslint-plugin-import/issues/2628*event-8129340989__;Iw!!PUxuPyJo!3vKcU_9Hu_agHQU2PCw7zDFd8V_1aKFg974dcMAs8otSOCiz97cWHVRj81g77rqY4blaSJNUPhGOAb930L2R5VyQ_O7hYpI9ess$>, or unsubscribe <https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AFHZ76TQMZUYTNMB4ULMEYLWP2GT5ANCNFSM6AAAAAATMV6NZ4__;!!PUxuPyJo!3vKcU_9Hu_agHQU2PCw7zDFd8V_1aKFg974dcMAs8otSOCiz97cWHVRj81g77rqY4blaSJNUPhGOAb930L2R5VyQ_O7hkOy4mK0$> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

[ljharb]

json5 v1.0.2 is published, so update your lockfiles and you're all set. No need to do anything.