Severe vulnerability in ts-config paths version that is required

[silverbackdan]

A new severe vulnerability has been found in json5 < 2.2.2

The version os tsconfig-paths that this plugin uses needs updating. 4.1.1 is the latest release which will update json5 to the latest version too. But this package requires 3.14.1

Is there any change of an update ASAP please?

This package is being used by a NuxtJS eslint config plugin I am using and should there be breaking changes or a major semver release as a result I will raise an issue there to get that updated too.

I'll raise an issue there so the maintainers can track this vulnerability.

This is my npm audit report:

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install @nuxtjs/eslint-config-typescript@6.0.1, which is a breaking change
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-import-resolver-typescript  2.6.0-beta - 2.7.1
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-import-resolver-typescript
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      @nuxtjs/eslint-config  >=7.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/@nuxtjs/eslint-config
        @nuxtjs/eslint-config-typescript  >=7.0.0
        Depends on vulnerable versions of @nuxtjs/eslint-config
        node_modules/@nuxtjs/eslint-config-typescript

[silverbackdan]

For anyone having this issue, for now, you can use overrides in your package.json. e.g.

"overrides": {
        "eslint-plugin-import": {
          "tsconfig-paths": {
            "json5": "^2.2.2"
          }
        }
  }

or whatever the dependency chain is in your project to the json5 requirement as that update is a minor semver from 2.2.1 to 2.2.2

[ljharb]

json5 v1.0.2 has already been updated with this fix, and either way, it's not a valid vulnerability.

As is the case with almost every JS CVE, the best course of action is to do nothing until the ecosystem fixes it for you.

This is a duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631.

Please stop filing issues about a vulnerability on "not the vulnerable package", it doesn't help.

[silverbackdan]

Apologies for the duplicate. And believed it was relevant due to the dependency of an older version of tsconfig-paths which is relevant to this package, where being able to update that dependency I thought would have been a valid proposition.
Thanks anyway, and appreciate your package.

[ljharb]

Unfortunately it'd be a breaking change to upgrade tsconfig-paths, and #2447 is open for that, if we ever are doing a semver-major.