chore(deps): update dependency jsonpath-plus to v10.3.0 [security] (#9326)

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [jsonpath-plus](https://redirect.github.com/s3u/JSONPath) | [`10.2.0` -> `10.3.0`](https://renovatebot.com/diffs/npm/jsonpath-plus/10.2.0/10.3.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/jsonpath-plus/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/jsonpath-plus/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/jsonpath-plus/10.2.0/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/jsonpath-plus/10.2.0/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-1302](https://nvd.nist.gov/vuln/detail/CVE-2025-1302) Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for CVE-2024-21534. --- ### Release Notes <details> <summary>s3u/JSONPath (jsonpath-plus)</summary> ### [`v10.3.0`](https://redirect.github.com/s3u/JSONPath/blob/HEAD/CHANGES.md#1030) [Compare Source](https://redirect.github.com/s3u/JSONPath/compare/v10.2.0...v10.3.0) - fix(eval): rce using non-string prop names ([#237](https://redirect.github.com/s3u/JSONPath/issues/237)) - feat(demo): make demo link shareable ([#238](https://redirect.github.com/s3u/JSONPath/issues/238)) - chore: update deps. and devDeps. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-29 01:15:48 +02:00 · 2025-02-18 22:20:17 +00:00 · 2025-02-18 22:20:17 +00:00 · c1fc07f402
commit c1fc07f402
parent 14b6b38238
2 changed files with 5 additions and 5 deletions
--- a/frontend/package.json
+++ b/frontend/package.json
@ -130,7 +130,7 @@
  "resolutions": {
    "@codemirror/state": "6.5.2",
    "@xmldom/xmldom": "^0.9.0",
-    "jsonpath-plus": "10.2.0",
+    "jsonpath-plus": "10.3.0",
    "json5": "^2.2.2",
    "vite": "5.4.14",
    "semver": "7.7.0",
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@ -6740,9 +6740,9 @@ __metadata:
  languageName: node
  linkType: hard

-"jsonpath-plus@npm:10.2.0":
-  version: 10.2.0
-  resolution: "jsonpath-plus@npm:10.2.0"
+"jsonpath-plus@npm:10.3.0":
+  version: 10.3.0
+  resolution: "jsonpath-plus@npm:10.3.0"
  dependencies:
    "@jsep-plugin/assignment": "npm:^1.3.0"
    "@jsep-plugin/regex": "npm:^1.0.4"
@ -6750,7 +6750,7 @@ __metadata:
  bin:
    jsonpath: bin/jsonpath-cli.js
    jsonpath-plus: bin/jsonpath-cli.js
-  checksum: 10c0/46480781a0a0b5347dc592fd69ef7ff0fa5a5e322a3f1f23997319e77ee937762366d722facafcc5e8d16101e9cdf1ae14df1f1777b2933990aadd0cdb20d8f5
+  checksum: 10c0/f5ff53078ecab98e8afd1dcdb4488e528653fa5a03a32d671f52db1ae9c3236e6e072d75e1949a80929fd21b07603924a586f829b40ad35993fa0247fa4f7506
  languageName: node
  linkType: hard