fix: update fast-json-patch for security
#227
Conversation
Cannot fix the ajv-cli vulnerability currently, see - ajv-validator/ajv-cli#227 - Starcounter-Jack/JSON-Patch#308
Cannot fix the ajv-cli vulnerability currently, see - ajv-validator/ajv-cli#227 - Starcounter-Jack/JSON-Patch#308
Cannot fix the ajv-cli vulnerability currently, see - ajv-validator/ajv-cli#227 - Starcounter-Jack/JSON-Patch#308
|
@epoberezkin friendly bump :) |
|
To fix the build failures you need to pin typescript to I also think package-lock.json should be commited and the pipeline should use |
|
@bodograumann fixing ci is out of scope here too - there's already #218 open for that |
G-Rath
force-pushed
the
update-fast-json-patch
branch
from
54d9cca to
076e33d
Compare
|
@epoberezkin I've cherry-picked the TypeScript changes done by @thomastoye over in #218 so now CI is passing, and this should be good to land as-is |
|
Any updates? Why it is not merged? "module_name": "fast-json-patch"
Vulnerable advisories are: |
|
@epoberezkin could we get this landed and released? |
We have to contemplate the idea that a project with little to no updates that has been ignoring for the past half year a tiny patch fixing a security issue may be in fact an abandoned project. 😔 |
|
@epoberezkin it would be good if we could get this reviewed and released :) |
|
@G-Rath Thank you for creating this PR. Let's see if this can be reviewed and merged. |
|
This project seems utterly unmaintained. We should think about creating a fork... |
|
@epoberezkin reminder about this - I'm also happy to help with the general maintenance of this cli if you like. |
|
I just posted to twitter for the first time in forever to hopefully get @epoberezkin's attention. He's obviously proud of his work since his profile there says "Created Ajv #JSON validator used by millions of JS apps." Maybe @ChALkeR can merge, though? |
|
until this is not merged you can use this workaround: diff --git a/package.json b/package.json
index 2dfa265..1efb2ff 100644
--- a/package.json
+++ b/package.json
@@ -8,5 +8,9 @@
"description": "",
"dependencies": {
"ajv-cli": "^5.0.0"
+ },
+ "overrides": {
+ "fast-json-patch": "3.1.1"
}
+
}ref https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides |
|
@epoberezkin Please fix? While the Remarks: The To utilize the great features of Please fix this security vulnerability soon! |
|
Is this update going to be accepted? If not, could someone confirm if |
|
With the last commit 4 years old and no reaction on critical security issues, I think we can say it is definitely dead. https://github.com/jirutka/ajv-cli Maybe we can converge on that? |
Resolves #225
Resolves #229
Resolves GHSA-8gh8-hqwg-xf34
@epoberezkin let me know if you need any help with getting this landed
it'll also want #218 or similar to fix CI, and it seems like there's a few dev dependencies that could be cleaned up which I'm happy to do after both of these have been landed.- I've ended up just pulling in the TypeScript changes required to get CI green.