Skip to content

Update dependency jsonpath-plus to v10 [SECURITY] #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency jsonpath-plus to v10 [SECURITY] #47

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 14, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
jsonpath-plus ^6.0.1 -> ^10.3.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-21534

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads

CVE-2025-1302

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

Release Notes

s3u/JSONPath (jsonpath-plus)

v10.3.0

Compare Source

  • fix(eval): rce using non-string prop names (#​237)
  • feat(demo): make demo link shareable (#​238)
  • chore: update deps. and devDeps.

v10.2.0

Compare Source

  • fix(eval): improve security of safe-eval (#​233)
  • chore: update deps. and devDeps.

v10.1.0

Compare Source

  • feat: add typeof operator to safe script

v10.0.7

Compare Source

  • fix(security): prevent constructor access
  • docs: add security policy file

v10.0.6

Compare Source

  • fix(security): prevent call/apply invocation of Function

v10.0.5

Compare Source

  • fix: remove overly aggressive disabling of native functions but
    disallow __proto__

v10.0.4

Compare Source

  • fix(security): further prevent binding of Function calls which may evade detection

v10.0.3

Compare Source

  • fix(security): prevent binding of Function calls which may evade detection

v10.0.2

Compare Source

  • fix(security): prevent Function calls outside of member expressions

v10.0.1

  • fix(security): prohibit Function in "safe" vm

v10.0.0

BREAKING CHANGES:

  • Require Node 18+

  • fix(security): use safe vm by default in Node

  • chore: bump jsep, devDeps. and lint

v9.0.0

Compare Source

BREAKING CHANGES:

  • Removes preventEval property. Prefer eval: false instead.

  • Changed behavior of eval property. In the browser, eval/Function won't be used by default to evaluate expressions. Instead, we'll safely evaluate using a subset of JavaScript. To resume using unsafe eval in the browser, pass in the option eval: "native"

  • feat: add safe eval for browser and eval option (#​185) (@​80avin)

  • feat: add ignoreEvalErrors property (@​80avin)

v8.1.0

v8.0.0

v7.2.0

Compare Source

v7.1.0

v7.0.0

  • Breaking change: Bump engines to 12
  • fix: remove console.log when error is thrown (@​sh33dafi)
  • chore: update devDeps.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 5 times, most recently from 50b24a1 to 79cda86 Compare November 17, 2024 18:25
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from f555acb to d79d7e8 Compare December 2, 2024 14:32
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 4 times, most recently from e45fa1a to 647c00d Compare December 22, 2024 18:03
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 1a8cd89 to eea00e9 Compare January 3, 2025 11:23
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from f6ebee4 to ceeb31c Compare January 14, 2025 23:22
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 969f746 to e1a3b7c Compare January 23, 2025 21:11
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 1f7dc8b to 21f6c94 Compare January 30, 2025 22:13
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 3 times, most recently from 86caed0 to cb5e277 Compare February 9, 2025 17:33
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from cb5e277 to f173b38 Compare February 18, 2025 22:05
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from feec66e to be98b75 Compare March 3, 2025 22:34
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 5 times, most recently from cff2702 to 1723220 Compare March 13, 2025 22:02
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 3 times, most recently from eb47643 to 47078ab Compare March 17, 2025 23:13
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 3 times, most recently from 313e7d6 to 397a205 Compare April 8, 2025 11:20
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from 397a205 to 27f28b2 Compare April 8, 2025 16:57
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from ab375ad to 421ecde Compare April 24, 2025 17:32
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 4 times, most recently from a81a976 to 4771788 Compare May 13, 2025 19:23
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 18eef86 to c444ed2 Compare May 19, 2025 22:47
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 3 times, most recently from 3e7f53d to 254278b Compare June 4, 2025 10:36
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from 254278b to 9aa8ab2 Compare June 4, 2025 16:51
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 4 times, most recently from e922e78 to 9146434 Compare June 22, 2025 18:00
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from 9146434 to 02c6462 Compare July 2, 2025 18:33
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from 02c6462 to b44392b Compare July 2, 2025 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants