Package is dependent on outdated version of tsconfig-paths which is dependent on vulnerable versions of json5

[chelevich]

Package is dependent on outdated version of tsconfig-paths which is dependent on vulnerable version of json5

eslint-plugin-import@2.26.0 depends on "tsconfig-paths": "^3.14.1"
tsconfig-paths@3.14.1 depends on "json5": "^1.0.1"
which is vulnerable for Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h

json5@1.0.2 has the vulnerability fixed
and this sub-dependency is fixed in tsconfig-paths@4.1.2 - dividab/tsconfig-paths#233

eslint-plugin-import needs a higher version of tsconfig-paths

[ljharb]

No, it doesn't, because tsconfig-paths depends on json5 with ^1.0.1 which automatically includes v1.0.2.

Either way, it's not a valid vulnerability for eslint-plugin-import.

As is the case with almost every JS CVE, the best course of action is to do nothing until the ecosystem fixes it for you.

This is a duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631; a duplicate of #2632; a duplicate of #2634; a duplicate of #2635; a duplicate of #2636; a duplicate of #2637; a duplicate of #2639; a duplicate of #2642; a duplicate of #2643.

All you need to do is update your lockfile.

[mattcasey]

In case others find this post, I had to delete my node_modules folder as well as package-lock.json when using npm, otherwise it kept using the same json5 for some reason