Uploaded image for project: 'mod-graphql'
  1. mod-graphql
  2. MODGQL-141

Update json-ptr from ^2.2.0 to ^3.0.0 fixing prototype pollution (CVE-2021-23509)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • TBD
    • Resolution: Done
    • 1.9.0
    • None
    • Thor

    Description

      json-ptr < 3.0.0 has a prototype pollution security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-23509

      Dependency path:

      raml-1-parser@1.1.47 requires json-path@0.1.3 requires json-ptr@~0.1.1

      json-ptr@~0.1.1 is resolved to json-ptr 2.2.0: https://github.com/folio-org/mod-graphql/blob/ee78059a28d2cc7c7e92aa4dcdbc5fb249d4b094/yarn.lock#L4390-L4391

      json-path has not been maintained since 2013: https://www.npmjs.com/package/json-path

      Therefore we need to bump the json-ptr version via the "resolutions" section of package.json.

      TestRail: Results

        Attachments

          Activity

            People

              mike Mike Taylor
              julianladisch Julian Ladisch
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                TestRail: Runs

                  TestRail: Cases