Vulnerability on `gson-pointer` dependendency about json-schema-library HOT 9 CLOSED

Hi Ben.

Yes, I will take care if that. Thank you for the reminder.

from json-schema-library.

json-schema-library is published with an upgraded gson-pointer dependency: v7.3.7.

Your issue should be solved.

from json-schema-library.

Perfect! thanks for turning this around for us quickly! Have a great day! 🙏

from json-schema-library.

Nice thanks! Let me know if there's anything we can do to help! 🙏

from json-schema-library.

Thank you for the quick turnaround! 🙏

from json-schema-library.

@sagold it looks like the vulnerability is still there in the latest package however? Just tried with the latest 4.1.2 version and it's still possible to do prototype pollution with the latest version?

from json-schema-library.

yes I see the problem now. Will be done soon.

from json-schema-library.

OK perfect! Thank you again! 🙏

from json-schema-library.

Hi Ben.

• the prototype pollution vulnerability has been fixed in gson-pointer
• the vulerable devDependency watch has been removed from gson-pointer
• gson-pointer was published with v4.1.3

In addition, a step which was overdue is to move gson-pointer package. This package will further be published under @sagold/json-pointer and is currently available with v5.0.0 (ahead of gson-pointer and includes the same patches).

Thus

• with json-schema-library v7.3.8 the dependency was replaced by @sagold/[email protected]

running yarn audit results in 0 vulnerabilities.

If I missed something, send me response.

from json-schema-library.