Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release a new package to include the patch for CVE-2024-21534 critical vulnerability #2717

Closed
2 tasks
bo-acc opened this issue Oct 25, 2024 · 11 comments · Fixed by #2742
Closed
2 tasks

Release a new package to include the patch for CVE-2024-21534 critical vulnerability #2717

bo-acc opened this issue Oct 25, 2024 · 11 comments · Fixed by #2742
Labels
chore

Comments

@bo-acc
Copy link

bo-acc commented Oct 25, 2024

Chore summary
Release a new package to include the patch for CVE-2024-21534 critical vulnerability covered in #2709

Tasks

  • Test json-path v10.0.0
  • Release a new package

Additional context
N/A
@bo-acc bo-acc added the chore label Oct 25, 2024
@mnaumanali94
Copy link
Contributor

We're working on a pipeline problem to fix this and get it released. The ETA is early next week.

@bo-acc
Copy link
Author

bo-acc commented Oct 25, 2024
edited
Loading

I highly appreciate your prompt response and dedication on the open-source work. Thank you!

@bo-acc bo-acc closed this as completed Oct 25, 2024
@jacquesg
Copy link
Contributor

jacquesg commented Nov 1, 2024

Hi @mnaumanali94, manage to get the pipeline problem fixed? Would really appreciate a new release of this :)

@bkmu
Copy link

bkmu commented Nov 5, 2024

@mnaumanali94 Is there anything the rest of the community can do to help support getting the pipeline issue resolved? I too am sitting tight awaiting the new release and would be willing to help troubleshoot whatever is going on!

@jacquesg
Copy link
Contributor

jacquesg commented Nov 7, 2024

Can we reopen this issue?

@mnaumanali94 mnaumanali94 reopened this Nov 7, 2024
@mnaumanali94
Copy link
Contributor

@jacquesg Apologies for the delay here. We should have it out tomorrow. The team got pulled into some other things. 🙏🏼

I'll post the details here as we get it out.

@jacquesg
Copy link
Contributor

jacquesg commented Nov 7, 2024

@jacquesg Apologies for the delay here. We should have it out tomorrow. The team got pulled into some other things. 🙏🏼

I'll post the details here as we get it out.

Thank you @mnaumanali94, appreciate the effort.

@ferrarimarco ferrarimarco mentioned this issue Nov 11, 2024
Closed
@mnaumanali94
Copy link
Contributor

@jacquesg @bkmu @bo-acc The new release should be out. Let me know if y'all see any issues with that.

@bo-acc
Copy link
Author

bo-acc commented Nov 12, 2024

Thank you so much!

@bo-acc bo-acc closed this as completed Nov 12, 2024
@davidensinger
Copy link

@mnaumanali94 Hi, sorry for bringing this issue back from the dead, but jsonpath-plus@10.1.0 unfortunately doesn’t fix the vulnerability. The latest version, 10.2.0, does remediation the security issue.

See:

Would you please update the version or use a caret ^ for jsonpath-plus for https://github.com/stoplightio/spectral/blob/develop/packages/core/package.json#L50 or would you accept a PR?

Thank you for your time on this too.

@frankkilcommins
Copy link
Contributor

Thanks for reporting @davidensinger - we'll take a look.

This was referenced Nov 18, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): bump spectral-core dependents frankkilcommins/spectral
6 participants
@davidensinger @bkmu @jacquesg @frankkilcommins @mnaumanali94 @bo-acc