Skip to content

Vulnerability for versions < 10.0.7 of JSONPath #639

New issue
New issue
Closed
Closed
Vulnerability for versions < 10.0.7 of JSONPath#639
@jeremy-brooks

Description

@jeremy-brooks
jeremy-brooks
opened on Jan 9, 2025

There is a vulnerability in the transitive dependency JSONPath

Description

The latest possible version of JSONPath that can be installed is 7.2.0 because of the following conflicting dependencies:

  • serverless-step-functions@3.21.2 requires jsonpath-plus@^7.0.0 via a transitive dependency on asl-path-validator@0.13.0
  • serverless-step-functions@3.21.2 requires jsonpath-plus@^7.2.0 via a transitive dependency on asl-validator@3.8.3

The earliest fixed version of JSONPath is 10.0.7.

The vulnerability was first published in November 2024.

See CVE-2024-21534 for more details.

Activity

yo-ga
mentioned this on Jan 21, 2025
lym953

lym953 commented on Mar 4, 2025

@lym953
lym953
on Mar 4, 2025

Bump this. Since #640 is merged, when is it going to be released?

zirkelc

zirkelc commented on May 13, 2025

@zirkelc
zirkelc
on May 13, 2025
Collaborator

Available in the latest release

zirkelc
closed this as completedon May 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zirkelc@jeremy-brooks@lym953

        Issue actions
          Vulnerability for versions < 10.0.7 of JSONPath · Issue #639 · serverless-operations/serverless-step-functions