[Security] Bump jsonpath-plus from 10.0.0 to 10.1.0
Bumps jsonpath-plus from 10.0.0 to 10.1.0. This update includes a security fix.
Vulnerabilities fixed
JSONPath Plus Remote Code Execution (RCE) Vulnerability Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.
Note:
There was an attempt to fix it in version 10.0.0 but it could still be exploited using different payloads.
Patched versions: 10.0.7 Affected versions: < 10.0.7
Changelog
Sourced from jsonpath-plus's changelog.
10.1.0
- feat: add typeof operator to safe script
10.0.7
- fix(security): prevent
constructor
access- docs: add security policy file
10.0.6
- fix(security): prevent
call
/apply
invocation ofFunction
10.0.5
- fix: remove overly aggressive disabling of native functions but disallow
__proto__
10.0.4
- fix(security): further prevent binding of Function calls which may evade detection
10.0.3
- fix(security): prevent binding of Function calls which may evade detection
10.0.2
- fix(security): prevent Function calls outside of member expressions
10.0.1
- fix(security): prohibit
Function
in "safe" vm
Commits
- See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts