json5 security issue #2630

1000i100 · 2022-12-31T02:21:41Z

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install xo@0.44.0, which is a breaking change
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      xo  >=0.45.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/xo

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The text was updated successfully, but these errors were encountered:

1000i100 · 2022-12-31T02:24:19Z

Next tsconfig-paths version will fix it : dividab/tsconfig-paths#233

ljharb · 2022-12-31T06:37:59Z

json5 v1.0.2 has been published which fixes it. No action needs to be taken in ANY other package.

This is also a duplicate of #2628 and #2627.

ljharb · 2022-12-31T06:38:19Z

Additionally, this is not a vulnerability - it's a false positive, and you should just ignore it.

1000i100 mentioned this issue Dec 31, 2022

json5 security issue since xo 0.45.0 xojs/xo#700

Closed

ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Dec 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

json5 security issue #2630

json5 security issue #2630

1000i100 commented Dec 31, 2022

1000i100 commented Dec 31, 2022

ljharb commented Dec 31, 2022

ljharb commented Dec 31, 2022

json5 security issue #2630

json5 security issue #2630

Comments

1000i100 commented Dec 31, 2022

1000i100 commented Dec 31, 2022

ljharb commented Dec 31, 2022

ljharb commented Dec 31, 2022