Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] Snyk vulnerability in version asyncapi/generator 2.5.0 #1323

Open
2 tasks done
Divya-hub-dot opened this issue Dec 10, 2024 · 4 comments
Open
2 tasks done

[BUG] Snyk vulnerability in version asyncapi/generator 2.5.0 #1323

Divya-hub-dot opened this issue Dec 10, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@Divya-hub-dot
Copy link

Divya-hub-dot commented Dec 10, 2024
edited
Loading

Describe the bug.

A critical vulnerability has been reported for the package jsonpath-plus, which originates from @asyncapi/generator@1.15.1.
To address this, we have upgraded @asyncapi/generator to versions 2.4.0 and even tested with the latest version 2.5.0. However, the issue persists along the following dependency path:

lib@* › @asyncapi/generator@2.4.0 › @asyncapi/parser@3.0.0-next-major-spec.8 › jsonpath-plus@7.2.0

To resolve this, jsonpath-plus needs to be upgraded to version 10.2.0, but unfortunately, we are not able to do it, so could you please help us to upgrade jsonpath-plus to 10.2.0 or can you guide how it can be done..

Expected behavior

Snyk vulnerabilities should not appear on the snyk board under below mentioned path:
image

How to Reproduce

  1. As suggested in SNYK org, I have upgraded @asyncapi/generator to versions 2.4.0 but still snyk vuln was showing up
  2. I then upgraded to 2.5.0 which is the latest version of @asyncapi/generator
  3. but still Vul is showing up in SNYK org and it is suggesting upgrading jsonpath-plus to 10.2.0
  4. so need help/suggestion on upgrading jsonpath-plus to 10.2.0

🥦 Browser

None

👀 Have you checked for similar open issues?

  • I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

Are you willing to work on this issue ?

None
@Divya-hub-dot Divya-hub-dot added the bug Something isn't working label Dec 10, 2024
@github-actions GitHub Actions
Copy link
Contributor

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

@Divya-hub-dot Divya-hub-dot reopened this Dec 10, 2024
@derberg derberg mentioned this issue Dec 11, 2024
Open
2 tasks
@derberg
Copy link
Member

derberg commented Dec 11, 2024

thanks for the issue, not a fix we should do in generator, only as last resort, lets first try in asyncapi/parser-js#1065 (comment)

@asos-pareshjadhav
Copy link

Hi @derberg
asyncapi/generator & asyncapi/parser-js** both are same ??

@derberg
Copy link
Member

derberg commented Dec 17, 2024

@asos-pareshjadhav in what sense? I don't get your question, need more context

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@derberg @Divya-hub-dot @asos-pareshjadhav