spectral icon indicating copy to clipboard operation
spectral copied to clipboard
verified publisher icon stoplightio

Snyk high security vulnerability in `json-ref-resolver` dependency

Open rmkeezer opened this issue 4 years ago • 2 comments

For support questions, please use the Stoplight Discord Community. This repository's issues are reserved for feature requests and bug reports. If you are unsure if you are experiencing a bug, our Discord is a great place to start.

Please delete this section, any any sections below that you don't use, before creating the issue.

Describe the bug I am running into Snyk security vulnerability on the json-ref-resolver dependency because it is using an outdated dependency lodash.set which has an unresolved prototype pollution vulnerability. It should instead use set from the lodash dependency.

To Reproduce See: https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032

Additional context I opened a PR here and I'm opening this issue for visibility

rmkeezer avatar Jan 05 '22 19:01 rmkeezer

@P0lip Any outlook on this vulnerability being addressed?

dpopp07 avatar Jan 10 '22 22:01 dpopp07

Ooops, my apologies, I missed this one. I see @rmkeezer was kind enough to create PRs, so all that's left for me is to review them. I'll make sure to do it by the end of the week. Once again, my apologies for dropping a ball on this one.

P0lip avatar Mar 24 '22 12:03 P0lip

Update the dep in https://github.com/stoplightio/spectral/commit/dc97f2414caaaae4c64166122f078c2de9d81ac2. @stoplight/[email protected] should be out in a few minutes

P0lip avatar Oct 03 '22 16:10 P0lip