[Security] Bump jsonpath-plus and @kubernetes/client-node
Bumps jsonpath-plus to 10.0.0 and updates ancestor dependency @kubernetes/client-node. These dependencies need to be updated together.
Updates jsonpath-plus
from 9.0.0 to 10.0.0 This update includes a security fix.
Vulnerabilities fixed
JSONPath Plus Remote Code Execution (RCE) Vulnerability Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
Note:
The unsafe behavior is still available after applying the fix but it is not turned on by default.
Patched versions: 10.0.0 Affected versions: < 10.0.0
Changelog
Sourced from jsonpath-plus's changelog.
10.0.0
BREAKING CHANGES:
Require Node 18+
fix(security): use safe vm by default in Node
chore: bump jsep, devDeps. and lint
Commits
- See full diff in compare view
Updates @kubernetes/client-node
from 0.22.0 to 0.22.1
Release notes
Sourced from @kubernetes/client-node
's releases.
Release 0.22.1
What's Changed
- Fix cp promise returns by converting the exec callbacks into promises by
@joeferner
in kubernetes-client/javascript#1880- test: replace use of deprecated Buffer constructor by
@cjihrig
in kubernetes-client/javascript#1891- ci: test against node 22 by
@cjihrig
in kubernetes-client/javascript#1890- chore: update ws by
@mstruebing
in kubernetes-client/javascript#1888- ci: use node LTS in workflows by
@mstruebing
in kubernetes-client/javascript#1918New Contributors
@joeferner
made their first contribution in kubernetes-client/javascript#1880Full Changelog: https://github.com/kubernetes-client/javascript/compare/0.22.0...0.22.1
Commits
-
5a69713
Merge pull request #1932 from kubernetes-client/dependabot/npm_and_yarn/jasmi... -
63b3d94
Merge pull request #1931 from kubernetes-client/dependabot/npm_and_yarn/mock-... -
e0cbd15
Merge pull request #1930 from kubernetes-client/dependabot/npm_and_yarn/typed... -
d2102b3
build(deps-dev): bump jasmine from 5.3.1 to 5.4.0 -
121f00f
build(deps-dev): bump mock-fs from 5.3.0 to 5.4.0 -
37c4cbc
build(deps-dev): bump typedoc from 0.26.8 to 0.26.9 -
b05ab87
Merge pull request #1920 from kubernetes-client/ms/prepare-patch-0.22.1 -
c4c52c7
Merge pull request #1918 from kubernetes-client/ms/update-node-in-workflow -
81fb6ea
chore: prepare patch release 0.22.1 -
f4dbc08
Revert "chore: prepare patch release" - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts