json5 dependabot vulnerability due to old tsconfig-paths version

[osdiab]

Would be nice if tsconfig-paths could be bumped to ^4 so that Github would stop reporting the transitive json5 dependency as a security vulnerability by using this package. thanks!

[ljharb]

json5 v1.0.2 has already been updated with this fix, and either way, it's not a valid vulnerability.

As is the case with almost every JS CVE, the best course of action is to do nothing until the ecosystem fixes it for you.

This is a duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631; a duplicate of #2632; a duplicate of #2634; a duplicate of #2635; a duplicate of #2636,

Please stop filing issues about a vulnerability on "not the vulnerable package", it doesn't help.

[ljharb]

@air2 if you continue making that comment you'll be blocked from the import-js org.

[air2]

I still do not understand what is wrong with my comment? The package is specifically created for people who do not want to be dependent on the config-path dependency. You do not want to upgrade the dependency, which is perfectly fine. But in this case it is a pretty good middleground. You do not need to upgrade the dependency and people who do not use node4 are able to use this package without much hustle. So why is it so bad if i point people to this solution?

[ljharb]

@air2 a) most people can't use that because of a shared config that brings in this plugin, b) advertising an alternative project on a project's repo is exceedingly rude.

The CVE is fixed - nobody is affected by it anymore, as long as they update their top-level application's lockfile. The only thing that's offered by the alternative you mention is that it uses tsconfig-paths v4, and afaik the only thing that adds is being able to use jsconfig, which most people don't even know exists, let alone uses.