Snyk failing in Pipeline due to jsonpath-plus issue
Closed this issue · 20 comments
What are the steps to reproduce this issue?
Run snyk test --severity-threshold=high on package after installing
What happens?
Issues with no direct upgrade or patch:
✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884] in jsonpath-plus@6.0.1
introduced by orval@7.1.1 > @orval/angular@7.1.1 > @orval/core@7.1.1 > @ibm-cloud/openapi-ruleset@1.23.1 > @stoplight/spectral-formats@1.7.0 > @stoplight/spectral-core@1.19.1 > jsonpath-plus@7.1.0 and 1 other path(s)
This issue was fixed in versions: 10.0.0
What were you expecting to happen?
Snyk to be fine with all Orval dependencies
Any logs, error output, etc?
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
Any other comments?
What versions are you using?
npmPackages:
axios: ^1.7.7 => 1.7.7
msw: ^2.4.9 => 2.4.9
orval: ^7.1.1 => 7.1.1
Updating depedencies of dependencies can be tricky but PR is welcome!
it looks like the fix is there but not tagged yet
@Mariscal6 thanks for keeping your eye on it and let us know when its released so we can bump!
Hello @melloware, it looks like the PR has been merged :)
Nice now Spectral needs to do a release.
There is another PR that needs to land in spectral: stoplightio/spectral#2712
OK somebody let me know when Spectral releases.
@melloware looks like the PR has landed :)
Yep but spectral has not done a release yet...
@melloware spectral has released the new version
I will look at this today!
PR is here but looking at it it looks like IBM OPenApiTools is what needs to update to the latest Spectral? https://github.com/orval-labs/orval/pull/1701/files
@melloware correct, I will try to open a PR there tomorrow.
its actually not validator its @ibm-cloud/openapi-ruleset which I updated to 1.25.0 but still not sure that fixes it.
Indeed, I've created a PR to update the deps there:
@melloware version 1.25.1 should now be out.
OK 7.3.0 is out if everyone wants to try it.