From c1fc07f4027a690a24cb1d3084e3f585394752db Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 18 Feb 2025 22:20:17 +0000 Subject: [PATCH] chore(deps): update dependency jsonpath-plus to v10.3.0 [security] (#9326) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [jsonpath-plus](https://redirect.github.com/s3u/JSONPath) | [`10.2.0` -> `10.3.0`](https://renovatebot.com/diffs/npm/jsonpath-plus/10.2.0/10.3.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/jsonpath-plus/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/jsonpath-plus/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/jsonpath-plus/10.2.0/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/jsonpath-plus/10.2.0/10.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-1302](https://nvd.nist.gov/vuln/detail/CVE-2025-1302) Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for CVE-2024-21534. --- ### Release Notes
s3u/JSONPath (jsonpath-plus) ### [`v10.3.0`](https://redirect.github.com/s3u/JSONPath/blob/HEAD/CHANGES.md#1030) [Compare Source](https://redirect.github.com/s3u/JSONPath/compare/v10.2.0...v10.3.0) - fix(eval): rce using non-string prop names ([#​237](https://redirect.github.com/s3u/JSONPath/issues/237)) - feat(demo): make demo link shareable ([#​238](https://redirect.github.com/s3u/JSONPath/issues/238)) - chore: update deps. and devDeps.
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- frontend/package.json | 2 +- frontend/yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index 720f39274c..e7a23b7258 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -130,7 +130,7 @@ "resolutions": { "@codemirror/state": "6.5.2", "@xmldom/xmldom": "^0.9.0", - "jsonpath-plus": "10.2.0", + "jsonpath-plus": "10.3.0", "json5": "^2.2.2", "vite": "5.4.14", "semver": "7.7.0", diff --git a/frontend/yarn.lock b/frontend/yarn.lock index 602ccaefa2..a30b1eeff4 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -6740,9 +6740,9 @@ __metadata: languageName: node linkType: hard -"jsonpath-plus@npm:10.2.0": - version: 10.2.0 - resolution: "jsonpath-plus@npm:10.2.0" +"jsonpath-plus@npm:10.3.0": + version: 10.3.0 + resolution: "jsonpath-plus@npm:10.3.0" dependencies: "@jsep-plugin/assignment": "npm:^1.3.0" "@jsep-plugin/regex": "npm:^1.0.4" @@ -6750,7 +6750,7 @@ __metadata: bin: jsonpath: bin/jsonpath-cli.js jsonpath-plus: bin/jsonpath-cli.js - checksum: 10c0/46480781a0a0b5347dc592fd69ef7ff0fa5a5e322a3f1f23997319e77ee937762366d722facafcc5e8d16101e9cdf1ae14df1f1777b2933990aadd0cdb20d8f5 + checksum: 10c0/f5ff53078ecab98e8afd1dcdb4488e528653fa5a03a32d671f52db1ae9c3236e6e072d75e1949a80929fd21b07603924a586f829b40ad35993fa0247fa4f7506 languageName: node linkType: hard