Dependency on the vulnerable org.json:json:20220320
Closed this issue · 8 comments
Expected Behavior
No dependencies with vulnerabilities
Current Behavior
2 High vulnerabilities
Possible Solution
Update org.json:json
to the recent version
Hello Team, can you please provide your thoughts about the issue? Is it safe to run the client in production? Do you have plans to update the dependency?
Also, I noticed that you already have a PR that addresses one of the vulnerabilities, but you didn't merge it, provide any response or fix the issue yourself. Why?
@alok1111 thanks for creating this ticket. I am taking a look at this and will update soon.
Correction. The package has been deployed to a staging env. I'll update this issue once it's generally available.
@izaaz thank you for the update.
1.21.1 fixes only one vulnerability - CVE-2022-45688. Would please fix also CVE-2023-5072? To do that you need to upgrade org.json:json
at least to 20231013
.
Also noticed that the org.json:json
versions are out of sync between demo
, main
and test
. So probably the project tests run on a wrong version.