json5 security issue since xo 0.45.0
1000i100 opened this issue · 2 comments
1000i100 commented
# npm audit report
json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install xo@0.44.0, which is a breaking change
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
Depends on vulnerable versions of json5
node_modules/tsconfig-paths
eslint-plugin-import >=2.24.2
Depends on vulnerable versions of tsconfig-paths
node_modules/eslint-plugin-import
xo >=0.45.0
Depends on vulnerable versions of eslint-plugin-import
node_modules/xo
4 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
sindresorhus commented
You need to open an issue on eslint-plugin-import
instead. There's nothing we can do about it here.
1000i100 commented
Done : import-js/eslint-plugin-import#2630
and in tsconfig-paths it's already fixed in trunk but not in npm published version.
So when tsconfig-paths publish the fixed version, and eslint-plugin-import publish the updated version, you will be able to update yours.