fix(deps): update dependency jsonpath-plus to 10.0.0 due to vulnerability #1056
Conversation
knowacki23
requested review from
magicmatatjahu,
jonaslagoni,
smoya and
asyncapi-bot-eve
as code owners
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.
…bility Signed-off-by: Nowacki, Kacper <[email protected]>
|
|
@knowacki23 as of the changeset-bot, there will be no new version released as there is no changeset yet. I'm pretty sure this is not what you intend. |
@pjungermann - what needs to be done to unblock this PR/get a new release? I am getting this critical security issue flagged by automations and it'll shut down our CI/CD pipelines for my service and related services soon ... or is it better to create a new PR with the required changeset ? |
|
I'm not part of this project and just passed by due to the same vulnerability myself. The changeset-bot included links where you can find information on how to add a changeset, etc. Adding this as a new commit or amending your current commit, both are fine. A new PR is close to never required, I would say. |
|
I am not the original author and therefore can't amend this PR. @jonaslagoni @smoya - any chance you guys can amend/ add the changeset and review this PR? |
Description
This is a simple dependency bump in parser of the jsonpath-plus dependency.
This dependency is vulnerable according to Snyk: https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
As this is a non-major upgrade and I have not seen the vulnerability being mentioned anywhere in the repository I thought I'd open a PR for it.