Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus #1065

Open
2 tasks done
BenjaminSchwendner opened this issue Nov 21, 2024 · 6 comments · May be fixed by #1086
Open
2 tasks done

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus #1065

BenjaminSchwendner opened this issue Nov 21, 2024 · 6 comments · May be fixed by #1086
Labels
bug Something isn't working

Comments

@BenjaminSchwendner
Copy link

Describe the bug.

There is a vulnerability in jsonpath-plus on versions earlier than 10.0.7.
You already merged these two PRs (#1058, #1062), making the @asyncapi/parser package migrate to a safe version.
However, the @asyncapi/multi-parser package still depends on versions of @asyncapi/multi-parser (parserapiv1 as well as parserapiv2) that use older versions of jsonpath-plus (7.2.0).

Would it be possible to release patches for 2.1.0 and 3.0.0-next-major-spec.8 of @asyncapi/parser that use the safe version of jsonpath-plus and then make @asyncapi/multi-parser use these versions?

Expected behavior

@asyncapi/multi-parser should only rely on jsonpath-plus@>10.0.7

Screenshots

Here the (relevant) output of npm why jsonpath-plus after running npm install @asyncapi/multi-parser on a blank npm package:

jsonpath-plus@7.2.0
node_modules/parserapiv1/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv1@2.1.2
  node_modules/parserapiv1
    parserapiv1@"npm:@asyncapi/parser@^2.1.0" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

jsonpath-plus@7.2.0
node_modules/parserapiv2/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv2@3.0.0-next-major-spec.8
  node_modules/parserapiv2
    parserapiv2@"npm:@asyncapi/parser@3.0.0-next-major-spec.8" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

How to Reproduce

Install @asyncapi/multi-parser and find the versions of jsonpath-plus that got installed.

🥦 Browser

None

👀 Have you checked for similar open issues?

  • I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

Are you willing to work on this issue ?

None
@BenjaminSchwendner BenjaminSchwendner added the bug Something isn't working label Nov 21, 2024
@github-actions GitHub Actions
Copy link

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

@6LpUkQSgQm
Copy link

Could you let me know when you expect to review the fix for this bug?

@derberg
Copy link
Member

derberg commented Dec 11, 2024

coming here from asyncapi/generator#1323

@jonaslagoni @magicmatatjahu @smoya any ideas how we could fix that? affected things are:

    "parserapiv1": "npm:@asyncapi/parser@^2.1.0",
    "parserapiv2": "npm:@asyncapi/parser@3.0.0-next-major-spec.8"

but damn, doing patches is a hell of a job

what about adding this to package.json:

"overrides": {
    "parserapiv1": {
      "jsonpath-plus": "^10.0.7"
    },
    "parserapiv2": {
      "jsonpath-plus": "^10.0.7"
    },
  }

since 7.2.0 changes were:

  • v8 only breaking change was node14 requirement
  • v9 changes to eval and evaluate
  • v10 node18 requirement

the only thing is that adding such override, we would need to release new major for multi-parser as for now in package.json we do not have any info about node version requirements. So we need new version and below:

  "engines": {
    "node": ">=18"
  }

@jonaslagoni @magicmatatjahu @smoya wdyt?

@derberg derberg mentioned this issue Dec 11, 2024
Open
2 tasks
@shwetd19
Copy link

shwetd19 commented Feb 8, 2025

Hey @derberg @jonaslagoni @magicmatatjahu @smoya @BenjaminSchwendner

The suggested approach using overrides seems like a reasonable solution given the complexity of patching multiple nested dependencies.

I agree that this warrants a major version bump for multi-parser since we'd be enforcing Node.js 18+ through the jsonpath-plus v10 dependency, making a breaking change for environments using older Node.js versions, and it's better to be explicit about the Node.js requirement in package.json.

For the next steps, I suggest we create a new major version of multi-parser (v3.0.0), add the overrides for jsonpath-plus >=10.0.7, add the Node.js engine requirement, update documentation to clearly communicate the Node.js version requirement, and add a migration guide for users who need to upgrade.

@smoya smoya linked a pull request Feb 12, 2025 that will close this issue
Open
@smoya
Copy link
Member

smoya commented Feb 12, 2025

@BenjaminSchwendner @derberg Thanks for the efforts on this issue. I created a PR with the suggested changes #1086

@canassa
Copy link

canassa commented Feb 19, 2025

This bug also affects the @asyncapi/parser

❯ npm ls jsonpath-plus
  └─┬ @asyncapi/parser@3.4.0
    ├─┬ @stoplight/spectral-core@1.19.4
    │ ├── jsonpath-plus@10.2.0
    │ └─┬ nimma@0.2.3
    │   └── jsonpath-plus@10.3.0 deduped
    └── jsonpath-plus@10.3.0

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug asyncapi/parser-js
6 participants
@canassa @smoya @derberg @BenjaminSchwendner @6LpUkQSgQm @shwetd19