[BUG] `@asyncapi/multi-parser` still depending on vulnerable version of `jsonpath-plus`

[BenjaminSchwendner]

Describe the bug.

There is a vulnerability in jsonpath-plus on versions earlier than 10.0.7.
You already merged these two PRs (#1058, #1062), making the @asyncapi/parser package migrate to a safe version.
However, the @asyncapi/multi-parser package still depends on versions of @asyncapi/multi-parser (parserapiv1 as well as parserapiv2) that use older versions of jsonpath-plus (7.2.0).

Would it be possible to release patches for 2.1.0 and 3.0.0-next-major-spec.8 of @asyncapi/parser that use the safe version of jsonpath-plus and then make @asyncapi/multi-parser use these versions?

Expected behavior

@asyncapi/multi-parser should only rely on jsonpath-plus@>10.0.7

Screenshots

Here the (relevant) output of npm why jsonpath-plus after running npm install @asyncapi/multi-parser on a blank npm package:

jsonpath-plus@7.2.0
node_modules/parserapiv1/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv1@2.1.2
  node_modules/parserapiv1
    parserapiv1@"npm:@asyncapi/parser@^2.1.0" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

jsonpath-plus@7.2.0
node_modules/parserapiv2/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv2@3.0.0-next-major-spec.8
  node_modules/parserapiv2
    parserapiv2@"npm:@asyncapi/parser@3.0.0-next-major-spec.8" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

How to Reproduce

Install @asyncapi/multi-parser and find the versions of jsonpath-plus that got installed.

🥦 Browser

None

👀 Have you checked for similar open issues?

• I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

• I have read the Contributing Guidelines

Are you willing to work on this issue ?

None

[github-actions]

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

[6LpUkQSgQm]

Could you let me know when you expect to review the fix for this bug?

[derberg]

coming here from asyncapi/generator#1323

@jonaslagoni @magicmatatjahu @smoya any ideas how we could fix that? affected things are:

    "parserapiv1": "npm:@asyncapi/parser@^2.1.0",
    "parserapiv2": "npm:@asyncapi/parser@3.0.0-next-major-spec.8"

but damn, doing patches is a hell of a job

what about adding this to package.json:

"overrides": {
    "parserapiv1": {
      "jsonpath-plus": "^10.0.7"
    },
    "parserapiv2": {
      "jsonpath-plus": "^10.0.7"
    },
  }

since 7.2.0 changes were:

• v8 only breaking change was node14 requirement
• v9 changes to eval and evaluate
• v10 node18 requirement

the only thing is that adding such override, we would need to release new major for multi-parser as for now in package.json we do not have any info about node version requirements. So we need new version and below:

  "engines": {
    "node": ">=18"
  }

@jonaslagoni @magicmatatjahu @smoya wdyt?

[shwetd19]

Hey @derberg @jonaslagoni @magicmatatjahu @smoya @BenjaminSchwendner

The suggested approach using overrides seems like a reasonable solution given the complexity of patching multiple nested dependencies.

I agree that this warrants a major version bump for multi-parser since we'd be enforcing Node.js 18+ through the jsonpath-plus v10 dependency, making a breaking change for environments using older Node.js versions, and it's better to be explicit about the Node.js requirement in package.json.

For the next steps, I suggest we create a new major version of multi-parser (v3.0.0), add the overrides for jsonpath-plus >=10.0.7, add the Node.js engine requirement, update documentation to clearly communicate the Node.js version requirement, and add a migration guide for users who need to upgrade.

[smoya]

@BenjaminSchwendner @derberg Thanks for the efforts on this issue. I created a PR with the suggested changes #1086

[canassa]

This bug also affects the @asyncapi/parser

❯ npm ls jsonpath-plus
  └─┬ @asyncapi/parser@3.4.0
    ├─┬ @stoplight/spectral-core@1.19.4
    │ ├── jsonpath-plus@10.2.0
    │ └─┬ nimma@0.2.3
    │   └── jsonpath-plus@10.3.0 deduped
    └── jsonpath-plus@10.3.0

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️