From e18f865b7d72ef3d0ca98ee70a452a2cd5810ab6 Mon Sep 17 00:00:00 2001 From: Corey Daley Date: Mon, 28 Oct 2024 10:04:41 -0400 Subject: [PATCH 1/2] chore(deps): bump jsonpath-plus to ^10.0.0 to mitigate CVE-2024-21534 (#1058) * chore(deps): update dependency jsonpath-plus to 10.0.0 due to vulnerability Signed-off-by: Nowacki, Kacper * adding changeset --------- Signed-off-by: Nowacki, Kacper Co-authored-by: knowacki23 --- .changeset/new-ears-clap.md | 6 ++++++ package-lock.json | 34 ++++++++++++++++++++++++++++++++-- packages/parser/package.json | 2 +- 3 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 .changeset/new-ears-clap.md diff --git a/.changeset/new-ears-clap.md b/.changeset/new-ears-clap.md new file mode 100644 index 000000000..93a5e2b4e --- /dev/null +++ b/.changeset/new-ears-clap.md @@ -0,0 +1,6 @@ +--- +"@asyncapi/multi-parser": minor +"@asyncapi/parser": minor +--- + +Updating jsonpath-plus dependency to mitigate CVE-2024-21534 diff --git a/package-lock.json b/package-lock.json index 666363482..1ab6f665e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1271,6 +1271,18 @@ "@jridgewell/sourcemap-codec": "^1.4.14" } }, + "node_modules/@jsep-plugin/assignment": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/@jsep-plugin/assignment/-/assignment-1.2.1.tgz", + "integrity": "sha512-gaHqbubTi29aZpVbBlECRpmdia+L5/lh2BwtIJTmtxdbecEyyX/ejAOg7eQDGNvGOUmPY7Z2Yxdy9ioyH/VJeA==", + "license": "MIT", + "engines": { + "node": ">= 10.16.0" + }, + "peerDependencies": { + "jsep": "^0.4.0||^1.0.0" + } + }, "node_modules/@jsep-plugin/regex": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/@jsep-plugin/regex/-/regex-1.0.3.tgz", @@ -12219,7 +12231,7 @@ }, "packages/parser": { "name": "@asyncapi/parser", - "version": "3.2.2", + "version": "3.3.0", "license": "Apache-2.0", "dependencies": { "@asyncapi/specs": "^6.8.0", @@ -12239,7 +12251,7 @@ "ajv-formats": "^2.1.1", "avsc": "^5.7.5", "js-yaml": "^4.1.0", - "jsonpath-plus": "^7.2.0", + "jsonpath-plus": "^10.0.0", "node-fetch": "2.6.7" }, "devDependencies": { @@ -12281,6 +12293,24 @@ "undici-types": "~5.26.4" } }, + "packages/parser/node_modules/jsonpath-plus": { + "version": "10.0.0", + "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.0.0.tgz", + "integrity": "sha512-v7j76HGp/ibKlXYeZ7UrfCLSNDaBWuJMA0GaMjA4sZJtCtY89qgPyToDDcl2zdeHh4B5q/B3g2pQdW76fOg/dA==", + "license": "MIT", + "dependencies": { + "@jsep-plugin/assignment": "^1.2.1", + "@jsep-plugin/regex": "^1.0.3", + "jsep": "^1.3.9" + }, + "bin": { + "jsonpath": "bin/jsonpath-cli.js", + "jsonpath-plus": "bin/jsonpath-cli.js" + }, + "engines": { + "node": ">=18.0.0" + } + }, "packages/parser/node_modules/undici-types": { "version": "5.26.5", "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", diff --git a/packages/parser/package.json b/packages/parser/package.json index 1128ad916..fd02ae9eb 100644 --- a/packages/parser/package.json +++ b/packages/parser/package.json @@ -59,7 +59,7 @@ "ajv-formats": "^2.1.1", "avsc": "^5.7.5", "js-yaml": "^4.1.0", - "jsonpath-plus": "^7.2.0", + "jsonpath-plus": "^10.0.0", "node-fetch": "2.6.7" }, "devDependencies": { From 7c7c556a9dac19c361a28ba7737d8347954b5eba Mon Sep 17 00:00:00 2001 From: asyncapi-bot Date: Mon, 28 Oct 2024 15:10:21 +0100 Subject: [PATCH 2/2] chore(release): version packages (#1059) --- .changeset/new-ears-clap.md | 6 ------ packages/multi-parser/CHANGELOG.md | 11 +++++++++++ packages/multi-parser/package.json | 2 +- packages/parser/CHANGELOG.md | 6 ++++++ packages/parser/package.json | 2 +- 5 files changed, 19 insertions(+), 8 deletions(-) delete mode 100644 .changeset/new-ears-clap.md diff --git a/.changeset/new-ears-clap.md b/.changeset/new-ears-clap.md deleted file mode 100644 index 93a5e2b4e..000000000 --- a/.changeset/new-ears-clap.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@asyncapi/multi-parser": minor -"@asyncapi/parser": minor ---- - -Updating jsonpath-plus dependency to mitigate CVE-2024-21534 diff --git a/packages/multi-parser/CHANGELOG.md b/packages/multi-parser/CHANGELOG.md index e0a744944..b257d5299 100644 --- a/packages/multi-parser/CHANGELOG.md +++ b/packages/multi-parser/CHANGELOG.md @@ -1,5 +1,16 @@ # @asyncapi/multi-parser +## 2.2.0 + +### Minor Changes + +- e18f865: Updating jsonpath-plus dependency to mitigate CVE-2024-21534 + +### Patch Changes + +- Updated dependencies [e18f865] + - @asyncapi/parser@3.4.0 + ## 2.1.1 ### Patch Changes diff --git a/packages/multi-parser/package.json b/packages/multi-parser/package.json index 81335e008..2aeb3371f 100644 --- a/packages/multi-parser/package.json +++ b/packages/multi-parser/package.json @@ -1,6 +1,6 @@ { "name": "@asyncapi/multi-parser", - "version": "2.1.1", + "version": "2.2.0", "description": "This tool allows to parse AsyncAPI documents and produce a desired interface based on a given Parser-API version", "private": false, "bugs": { diff --git a/packages/parser/CHANGELOG.md b/packages/parser/CHANGELOG.md index b17877e29..2eab2af3d 100644 --- a/packages/parser/CHANGELOG.md +++ b/packages/parser/CHANGELOG.md @@ -1,5 +1,11 @@ # @asyncapi/parser +## 3.4.0 + +### Minor Changes + +- e18f865: Updating jsonpath-plus dependency to mitigate CVE-2024-21534 + ## 3.3.0 ### Minor Changes diff --git a/packages/parser/package.json b/packages/parser/package.json index fd02ae9eb..48e5d33fd 100644 --- a/packages/parser/package.json +++ b/packages/parser/package.json @@ -1,6 +1,6 @@ { "name": "@asyncapi/parser", - "version": "3.3.0", + "version": "3.4.0", "description": "JavaScript AsyncAPI parser.", "private": false, "bugs": {