Package is dependent on vulnerable version of json5

[Soumalya-Github]

The latest version of the eslint-plugin-import package is 2.26.0. This supports the dependent tsconfig-paths package version up to 3.14.1 which in turn supports json5 version up to 1.0.1.

Can you please release a version with tsconfig-paths v4.1.x which in turn would support json5 version >2.2.2 ?

[gvsakki]

Same issue with Amazon Inspector....

[HandyHat]

The fix for this vulnerability has been backported to json5 v1.0.2 too so this is no longer an issue, as v1.0.2 is compatible with tsconfig-paths v3.14.1

[pl4yradam]

+1

[smo043]

The fix for this vulnerability has been backported to json5 v1.0.2 too so this is no longer an issue, as v1.0.2 is compatible with tsconfig-paths v3.14.1

@HandyHat Thank you, any ETA for releasing the new package version?

[jimmy-guzman]

@smo043 a new package version should not be needed since json5 is marked as in minor range so you just need to upgrade dependencies

[peterbe]

Don't we need to upgrade the dependency of tsconfig-paths to v4?

https://github.com/dividab/tsconfig-paths/blob/master/CHANGELOG.md is the change log.

It upgraded its dependency to json5@2.2.2 yesterday so we if can start to rely on tsconfig-paths@4.1.2 it would resolve the upgrade of json5.

[smo043]

@smo043 a new package version should not be needed since json5 is marked as in minor range so you just need to upgrade dependencies

@jimmy-guzman - the version I have installed is ^2.26.0, I don't see new minor version release

[smichel-amiltone]

The fix for this vulnerability has been backported to json5 v1.0.2 too so this is no longer an issue, as v1.0.2 is compatible with tsconfig-paths v3.14.1

My version : "eslint-plugin-import": "^2.26.0"

>> npm audit fix

up to date, audited 337 packages in 2s

74 packages are looking for funding
  run `npm fund` for details

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install eslint-plugin-import@2.24.1, which is a breaking change
node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      eslint-config-airbnb-base  >=15.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/eslint-config-airbnb-typescript/node_modules/eslint-config-airbnb-base
        eslint-config-airbnb-typescript  >=16.0.0
        Depends on vulnerable versions of eslint-config-airbnb-base
        Depends on vulnerable versions of eslint-plugin-import
        node_modules/eslint-config-airbnb-typescript

5 high severity vulnerabilities

Please provide an eslint-plugin-import who do not rely on bad tsconfig-paths who rely on this json5 vulnerabilities.
Force the json5 version to v1.0.2 by ourself isn't a patch

Thx

[ljharb]

json5 v1.0.2 has already been updated with this fix, and either way, it's not a valid vulnerability for eslint-plugin-import.

As is the case with almost every JS CVE, the best course of action is to do nothing until the ecosystem fixes it for you.

This is a duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631; a duplicate of #2632; a duplicate of #2634; a duplicate of #2635; a duplicate of #2636; a duplicate of #2637; a duplicate of #2639; a duplicate of #2642.

The Github advisory has now been updated, so hopefully you won’t see any more warnings, but either way, just wait.