Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk high security vulnerability in json-ref-resolver dependency #2017

Closed
rmkeezer opened this issue Jan 5, 2022 · 3 comments · Fixed by stoplightio/json-ref-resolver#218
Closed

Snyk high security vulnerability in json-ref-resolver dependency #2017

rmkeezer opened this issue Jan 5, 2022 · 3 comments · Fixed by stoplightio/json-ref-resolver#218
Labels
json-refs everything JSON Refs resolving related security Pull requests that address a security vulnerability

Comments

@rmkeezer
Copy link

rmkeezer commented Jan 5, 2022
edited
Loading

For support questions, please use the Stoplight Discord Community. This repository's issues are reserved for feature requests and bug reports. If you are unsure if you are experiencing a bug, our Discord is a great place to start.

Please delete this section, any any sections below that you don't use, before creating the issue.

Describe the bug
I am running into Snyk security vulnerability on the json-ref-resolver dependency because it is using an outdated dependency lodash.set which has an unresolved prototype pollution vulnerability. It should instead use set from the lodash dependency.

To Reproduce
See: https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032

Additional context
I opened a PR here and I'm opening this issue for visibility
@rmkeezer rmkeezer changed the title Snyk high security vulnerability in json-ref-resolver dependency Snyk high security vulnerability in json-ref-resolver dependency Jan 5, 2022
@dpopp07
Copy link
Contributor

dpopp07 commented Jan 10, 2022

@P0lip Any outlook on this vulnerability being addressed?

@rmkeezer rmkeezer mentioned this issue Jan 12, 2022
Merged
@P0lip
Copy link
Contributor

P0lip commented Mar 24, 2022

Ooops, my apologies, I missed this one.
I see @rmkeezer was kind enough to create PRs, so all that's left for me is to review them. I'll make sure to do it by the end of the week.
Once again, my apologies for dropping a ball on this one.

@P0lip P0lip added security Pull requests that address a security vulnerability json-refs everything JSON Refs resolving related labels Mar 24, 2022
@P0lip P0lip mentioned this issue Apr 6, 2022
Merged
@P0lip P0lip reopened this Jun 6, 2022
@P0lip
Copy link
Contributor

P0lip commented Oct 3, 2022
edited
Loading

Update the dep in dc97f24.
@stoplight/spectral-ref-resolver@1.0.2 should be out in a few minutes

@P0lip P0lip closed this as completed Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
json-refs everything JSON Refs resolving related security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: urijs treats leading whitespaces differently stoplightio/json-ref-resolver
3 participants
@rmkeezer @dpopp07 @P0lip