[Security] Bump jsonpath-plus from 10.0.0 to 10.1.0 (!44) · Merge requests · tools / infra / zeroscale

Dependabot requested to merge dependabot-npm_and_yarn-jsonpath-plus-10.1.0 into master Nov 13, 2024

Bumps jsonpath-plus from 10.0.0 to 10.1.0. This update includes a security fix.

Vulnerabilities fixed

JSONPath Plus Remote Code Execution (RCE) Vulnerability Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There was an attempt to fix it in version 10.0.0 but it could still be exploited using different payloads.

Patched versions: 10.0.7 Affected versions: < 10.0.7

Changelog

Sourced from jsonpath-plus's changelog.

10.1.0

feat: add typeof operator to safe script

10.0.7

fix(security): prevent constructor access

docs: add security policy file

10.0.6

fix(security): prevent call/apply invocation of Function

10.0.5

fix: remove overly aggressive disabling of native functions but disallow __proto__

10.0.4

fix(security): further prevent binding of Function calls which may evade detection

10.0.3

fix(security): prevent binding of Function calls which may evade detection

10.0.2

fix(security): prevent Function calls outside of member expressions

10.0.1

fix(security): prohibit Function in "safe" vm

Commits

See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump jsonpath-plus from 10.0.0 to 10.1.0

10.1.0

10.0.7

10.0.6

10.0.5

10.0.4

10.0.3

10.0.2

10.0.1

Merge request reports