json5 security issue since xo 0.45.0

Question

json5 security issue since xo 0.45.0

1000i100 opened this issue a year ago · 2 comments

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install xo@0.44.0, which is a breaking change
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      xo  >=0.45.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/xo

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Answer 1 · 2022-12-31T02:17:45.000Z

You need to open an issue on eslint-plugin-import instead. There's nothing we can do about it here.

Answer 2 · 2022-12-31T02:27:14.000Z

Done : import-js/eslint-plugin-import#2630
and in tsconfig-paths it's already fixed in trunk but not in npm published version.
So when tsconfig-paths publish the fixed version, and eslint-plugin-import publish the updated version, you will be able to update yours.