Skip to content

[Security] Bump jsonpath-plus and @kubernetes/client-node

Dependabot requested to merge dependabot-npm_and_yarn-multi-466329dcf6 into master

Bumps jsonpath-plus to 10.0.0 and updates ancestor dependency @kubernetes/client-node. These dependencies need to be updated together.

Updates jsonpath-plus from 9.0.0 to 10.0.0 This update includes a security fix.

Vulnerabilities fixed

JSONPath Plus Remote Code Execution (RCE) Vulnerability Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

The unsafe behavior is still available after applying the fix but it is not turned on by default.

Patched versions: 10.0.0 Affected versions: < 10.0.0

Changelog

Sourced from jsonpath-plus's changelog.

10.0.0

BREAKING CHANGES:

  • Require Node 18+

  • fix(security): use safe vm by default in Node

  • chore: bump jsep, devDeps. and lint

Commits

Updates @kubernetes/client-node from 0.22.0 to 0.22.1

Release notes

Sourced from @​kubernetes/client-node's releases.

Release 0.22.1

What's Changed

New Contributors

Full Changelog: https://github.com/kubernetes-client/javascript/compare/0.22.0...0.22.1

Commits
  • 5a69713 Merge pull request #1932 from kubernetes-client/dependabot/npm_and_yarn/jasmi...
  • 63b3d94 Merge pull request #1931 from kubernetes-client/dependabot/npm_and_yarn/mock-...
  • e0cbd15 Merge pull request #1930 from kubernetes-client/dependabot/npm_and_yarn/typed...
  • d2102b3 build(deps-dev): bump jasmine from 5.3.1 to 5.4.0
  • 121f00f build(deps-dev): bump mock-fs from 5.3.0 to 5.4.0
  • 37c4cbc build(deps-dev): bump typedoc from 0.26.8 to 0.26.9
  • b05ab87 Merge pull request #1920 from kubernetes-client/ms/prepare-patch-0.22.1
  • c4c52c7 Merge pull request #1918 from kubernetes-client/ms/update-node-in-workflow
  • 81fb6ea chore: prepare patch release 0.22.1
  • f4dbc08 Revert "chore: prepare patch release"
  • Additional commits viewable in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading