Skip to content

Update dependency jsonpath-plus to v10 [SECURITY] #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency jsonpath-plus to v10 [SECURITY] #47

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 14, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
jsonpath-plus ^6.0.1 -> ^10.3.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-21534

Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There were several attempts to fix it in versions 10.0.0-10.1.0 but it could still be exploited using different payloads

CVE-2025-1302

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

Release Notes

s3u/JSONPath (jsonpath-plus)

v10.3.0

Compare Source

  • fix(eval): rce using non-string prop names (#​237)
  • feat(demo): make demo link shareable (#​238)
  • chore: update deps. and devDeps.

v10.2.0

Compare Source

  • fix(eval): improve security of safe-eval (#​233)
  • chore: update deps. and devDeps.

v10.1.0

Compare Source

  • feat: add typeof operator to safe script

v10.0.7

Compare Source

  • fix(security): prevent constructor access
  • docs: add security policy file

v10.0.6

Compare Source

  • fix(security): prevent call/apply invocation of Function

v10.0.5

Compare Source

  • fix: remove overly aggressive disabling of native functions but
    disallow __proto__

v10.0.4

Compare Source

  • fix(security): further prevent binding of Function calls which may evade detection

v10.0.3

Compare Source

  • fix(security): prevent binding of Function calls which may evade detection

v10.0.2

Compare Source

  • fix(security): prevent Function calls outside of member expressions

v10.0.1

  • fix(security): prohibit Function in "safe" vm

v10.0.0

BREAKING CHANGES:

  • Require Node 18+

  • fix(security): use safe vm by default in Node

  • chore: bump jsep, devDeps. and lint

v9.0.0

Compare Source

BREAKING CHANGES:

  • Removes preventEval property. Prefer eval: false instead.

  • Changed behavior of eval property. In the browser, eval/Function won't be used by default to evaluate expressions. Instead, we'll safely evaluate using a subset of JavaScript. To resume using unsafe eval in the browser, pass in the option eval: "native"

  • feat: add safe eval for browser and eval option (#​185) (@​80avin)

  • feat: add ignoreEvalErrors property (@​80avin)

v8.1.0

v8.0.0

v7.2.0

Compare Source

v7.1.0

v7.0.0

  • Breaking change: Bump engines to 12
  • fix: remove console.log when error is thrown (@​sh33dafi)
  • chore: update devDeps.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 5 times, most recently from 50b24a1 to 79cda86 Compare November 17, 2024 18:25
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from f555acb to d79d7e8 Compare December 2, 2024 14:32
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 4 times, most recently from e45fa1a to 647c00d Compare December 22, 2024 18:03
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 1a8cd89 to eea00e9 Compare January 3, 2025 11:23
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from f6ebee4 to ceeb31c Compare January 14, 2025 23:22
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 969f746 to e1a3b7c Compare January 23, 2025 21:11
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 1f7dc8b to 21f6c94 Compare January 30, 2025 22:13
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 3 times, most recently from 86caed0 to cb5e277 Compare February 9, 2025 17:33
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from cb5e277 to f173b38 Compare February 18, 2025 22:05
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from feec66e to be98b75 Compare March 3, 2025 22:34
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 5 times, most recently from cff2702 to 1723220 Compare March 13, 2025 22:02
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 3 times, most recently from 254278b to 9aa8ab2 Compare June 4, 2025 16:51
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 4 times, most recently from e922e78 to 9146434 Compare June 22, 2025 18:00
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 02c6462 to b44392b Compare July 2, 2025 23:28
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 38c5da8 to 7bbc65d Compare July 28, 2025 18:07
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 4 times, most recently from e06949a to ad136fd Compare August 13, 2025 18:44
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from bc65cac to 81916e7 Compare August 20, 2025 00:25
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from a768e9a to 725ea23 Compare August 31, 2025 18:07
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 207f38c to 6d90b2e Compare September 25, 2025 20:26
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from da9b5c4 to 1585f7d Compare October 9, 2025 13:31
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 384a647 to 1fc3f1c Compare October 22, 2025 02:01
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch 2 times, most recently from 843b3cf to a36a55d Compare November 11, 2025 03:34
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from a36a55d to 0a7e922 Compare November 18, 2025 09:42
@renovate renovate bot force-pushed the renovate/npm-jsonpath-plus-vulnerability branch from 0a7e922 to 45e068a Compare November 19, 2025 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant