Vulnerability for versions < 10.0.7 of JSONPath

Question

Closed this issue 6 months ago · 2 comments

There is a vulnerability in the transitive dependency JSONPath

The latest possible version of JSONPath that can be installed is 7.2.0 because of the following conflicting dependencies:

serverless-step-functions@3.21.2 requires jsonpath-plus@^7.0.0 via a transitive dependency on asl-path-validator@0.13.0
serverless-step-functions@3.21.2 requires jsonpath-plus@^7.2.0 via a transitive dependency on asl-validator@3.8.3

The earliest fixed version of JSONPath is 10.0.7.

The vulnerability was first published in November 2024.

See CVE-2024-21534 for more details.

Answer 1 · 2025-03-04T22:56:00.000Z

Bump this. Since #640 is merged, when is it going to be released?

Answer 2 · 2025-05-13T08:36:06.000Z

Available in the latest release