Dev dependency json5 needs to be upgraded due to a CVE issue linked to the minimist package (CVE-2021-44906)

[GeccoRhiguelNavalta]

This project is currently using an older version of the json5 package, which includes minimist@1.2.5 and has a vulnerability issue (CVE-2021-44906). For more details, you can refer to: https://avd.aquasec.com/nvd/2021/cve-2021-44906/

Please consider upgrading the json5 package to address this issue. You can find the latest version and release information at: https://github.com/json5/json5/blob/de344f0619bda1465a6e25c76f1c0c3dda8108d9/CHANGELOG.md?plain=1#L28

[ljharb]

No, it doesn't. The latest version of json5 v1 and v2 both fix the problem, which never actually applied to us in the first place.

YOU need to update json5 in your own lockfiles if you want to avoid being notified by tooling.

Nope, because v4 drops support for engines that we support, so we can't ever upgrade past v3. Also, i'm not sure what vulnerabilities you mean; json5's vulnerability was fixed in v1 so it shouldn't be a problem.

Duplicate of #2447. Duplicate of #2660. Duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631; a duplicate of #2632; a duplicate of #2634; a duplicate of #2635; a duplicate of #2636; a duplicate of #2637; a duplicate of #2639; a duplicate of #2642; a duplicate of #2643; a duplicate of #2649; a duplicate of #2655. Duplicate of #2888.