[Security] Bump jsonpath-plus from 10.2.0 to 10.3.0

Bumps jsonpath-plus from 10.2.0 to 10.3.0. This update includes a security fix.

Vulnerabilities fixed

JSONPath Plus allows Remote Code Execution
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.

Note:

This is caused by an incomplete fix for CVE-2024-21534.

Patched versions: 10.3.0
Affected versions: < 10.3.0

Release notes

Sourced from jsonpath-plus's releases.

v10.3.0

What's Changed

• fix(eval): rce using non-string prop names by @​80avin in JSONPath-Plus/JSONPath#237
• feat(demo): make demo link shareable by @​80avin in JSONPath-Plus/JSONPath#238

Full Changelog: https://github.com/JSONPath-Plus/JSONPath/compare/v10.2.0...v10.3.0

Changelog

Sourced from jsonpath-plus's changelog.

10.3.0

• fix(eval): rce using non-string prop names (#237)
• feat(demo): make demo link shareable (#238)
• chore: update deps. and devDeps.

Commits

• 9754e4b chore: bump version
• f690da1 chore: update deps and devDeps
• 313a9b4 Merge pull request #238 from 80avin/shareable-demo
• 39a0d03 Merge pull request #237 from 80avin/fix-10.2.0-rce
• 1c532fc feat(demo): make demo link shareable
• 3094289 fix(eval): rce using non-string prop names
• See full diff in compare view

Maintainer changes

This version was pushed to npm by 80avin, a new releaser for jsonpath-plus since your current version.

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts