Vulnerability with json-schema@0.2.3

Question

Vulnerability with json-schema@0.2.3

amansanghvi opened this issue 2 years ago · 3 comments

SDK you're using (please complete the following information):

Version [4.19.1, 4.23.0]

Describe the bug
Snyk on our system shows a "high" ranked vulnerability:

xero-node@4.19.1 › request@2.88.2 › http-signature@1.2.0 › jsprim@1.4.1 › json-schema@0.2.3

as this may pollute the global prototype via the validate function.

This is fixed in json-schema@0.4.0.

Automated advice from Snyk is:

Your dependencies are out of date, otherwise you would be using a newer json-schema than json-schema@0.2.3. Try relocking your lockfile or deleting node_modules. If the problem persists, one of your dependencies may be bundling outdated modules.

Answer 1 · 2022-09-07T22:57:09.000Z

Hi @amansanghvi 👋 I've just started looking into this issue, and believe it is related to #579 and the deprecated request library.

Answer 2 · 2024-02-07T06:19:30.000Z

We have updated the required packages in our new version. npm audit report is clean now.

Please use version v5.0.1

let us know with any further issues on this ticket. @amansanghvi @tnzzz

Answer 3 · 2024-02-08T13:10:05.000Z

Please use version v5.0.1