fix: security issue of simple-eval package is fixed#2886
Merged
Conversation
prafullaAtSB
left a comment
There was a problem hiding this comment.
Have we not written new test cases? Can u add the test case to test spectral rule?
prafullaAtSB
approved these changes
Feb 11, 2026
prafullaAtSB
left a comment
There was a problem hiding this comment.
The fix Changes are good for next steps.
tomek-tursa-sb
approved these changes
Feb 12, 2026
stoplight-bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
## [6.15.1](https://github.com/stoplightio/spectral/compare/@stoplight/spectral-cli-6.15.0...@stoplight/spectral-cli-6.15.1) (2026-04-13) ### Bug Fixes * **cli:** fix bug where output gets truncated when too long ([#2862](#2862)) ([0e6fd33](0e6fd33)) * **cli:** throw error if no file found to lint ([#2778](#2778)) ([3e20072](3e20072)) * **core:** fix security issue of simple-eval package ([#2886](#2886)) ([8120a76](8120a76)) * **core:** respect off severity in intermediate rulesets ([#2890](#2890)) ([5b99b99](5b99b99)) * **formatters:** Fix rendering of github actions documentationUrl ([#2895](#2895)) ([df27b06](df27b06)) * **formatters:** markdown formatter with invalid-ref crashes spectral ([#2905](#2905)) ([59728e4](59728e4)) * **functions:** export or function ([#2812](#2812)) ([03532a5](03532a5)) * **repo:** release step marking repo as save for git ([#2884](#2884)) ([87147a6](87147a6)) * **repo:** remove acceptance step on release ([#2882](#2882)) ([73496c6](73496c6)) * **ruleset-migrator:** fix ruleset migrator output when a rule name contains '/' ([#2859](#2859)) ([115d1d0](115d1d0)) * **rulesets:** use uri-reference for openIdConnectUrl ([#2796](#2796)) ([c57eb59](c57eb59)) ### Features * **core:** allow extending rulesets with aliases ([#2870](#2870)) ([8db9718](8db9718)) * **core:** further adjustments for extending rulesets with aliases ([#2939](#2939)) ([26144bc](26144bc)) * **repo:** circleci migration to GHA (OP-35885) ([#2867](#2867)) ([884f079](884f079)) * **repo:** npm release workflow as gha ([#2880](#2880)) ([0147d6e](0147d6e)) * **repo:** post develop merge workflow ([#2877](#2877)) ([9420713](9420713)) * **repo:** replace skypack usage with esm cdn ([#2940](#2940)) ([0d6a910](0d6a910))
stoplight-bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
# [1.22.0](https://github.com/stoplightio/spectral/compare/@stoplight/spectral-core-1.21.0...@stoplight/spectral-core-1.22.0) (2026-04-13) ### Bug Fixes * **cli:** fix bug where output gets truncated when too long ([#2862](#2862)) ([0e6fd33](0e6fd33)) * **cli:** throw error if no file found to lint ([#2778](#2778)) ([3e20072](3e20072)) * **core:** fix security issue of simple-eval package ([#2886](#2886)) ([8120a76](8120a76)) * **core:** respect off severity in intermediate rulesets ([#2890](#2890)) ([5b99b99](5b99b99)) * **formatters:** Fix rendering of github actions documentationUrl ([#2895](#2895)) ([df27b06](df27b06)) * **formatters:** markdown formatter with invalid-ref crashes spectral ([#2905](#2905)) ([59728e4](59728e4)) * **rulesets:** use uri-reference for openIdConnectUrl ([#2796](#2796)) ([c57eb59](c57eb59)) ### Features * **core:** further adjustments for extending rulesets with aliases ([#2939](#2939)) ([26144bc](26144bc)) * **repo:** replace skypack usage with esm cdn ([#2940](#2940)) ([0d6a910](0d6a910))
stoplight-bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
## [1.5.1](https://github.com/stoplightio/spectral/compare/@stoplight/spectral-formatters-1.5.0...@stoplight/spectral-formatters-1.5.1) (2026-04-13) ### Bug Fixes * **cli:** fix bug where output gets truncated when too long ([#2862](#2862)) ([0e6fd33](0e6fd33)) * **cli:** throw error if no file found to lint ([#2778](#2778)) ([3e20072](3e20072)) * **core:** fix security issue of simple-eval package ([#2886](#2886)) ([8120a76](8120a76)) * **core:** respect off severity in intermediate rulesets ([#2890](#2890)) ([5b99b99](5b99b99)) * **formatters:** Fix rendering of github actions documentationUrl ([#2895](#2895)) ([df27b06](df27b06)) * **formatters:** markdown formatter with invalid-ref crashes spectral ([#2905](#2905)) ([59728e4](59728e4)) * **functions:** export or function ([#2812](#2812)) ([03532a5](03532a5)) * **repo:** release step marking repo as save for git ([#2884](#2884)) ([87147a6](87147a6)) * **repo:** remove acceptance step on release ([#2882](#2882)) ([73496c6](73496c6)) * **ruleset-migrator:** fix ruleset migrator output when a rule name contains '/' ([#2859](#2859)) ([115d1d0](115d1d0)) * **rulesets:** use uri-reference for openIdConnectUrl ([#2796](#2796)) ([c57eb59](c57eb59)) ### Features * **core:** allow extending rulesets with aliases ([#2870](#2870)) ([8db9718](8db9718)) * **core:** further adjustments for extending rulesets with aliases ([#2939](#2939)) ([26144bc](26144bc)) * **repo:** circleci migration to GHA (OP-35885) ([#2867](#2867)) ([884f079](884f079)) * **repo:** npm release workflow as gha ([#2880](#2880)) ([0147d6e](0147d6e)) * **repo:** post develop merge workflow ([#2877](#2877)) ([9420713](9420713)) * **repo:** replace skypack usage with esm cdn ([#2940](#2940)) ([0d6a910](0d6a910))
stoplight-bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
# [1.12.0](https://github.com/stoplightio/spectral/compare/@stoplight/spectral-ruleset-migrator-1.11.3...@stoplight/spectral-ruleset-migrator-1.12.0) (2026-04-13) ### Bug Fixes * **cli:** fix bug where output gets truncated when too long ([#2862](#2862)) ([0e6fd33](0e6fd33)) * **cli:** throw error if no file found to lint ([#2778](#2778)) ([3e20072](3e20072)) * **core:** fix security issue of simple-eval package ([#2886](#2886)) ([8120a76](8120a76)) * **core:** respect off severity in intermediate rulesets ([#2890](#2890)) ([5b99b99](5b99b99)) * **formatters:** Fix rendering of github actions documentationUrl ([#2895](#2895)) ([df27b06](df27b06)) * **formatters:** markdown formatter with invalid-ref crashes spectral ([#2905](#2905)) ([59728e4](59728e4)) * **repo:** release step marking repo as save for git ([#2884](#2884)) ([87147a6](87147a6)) * **repo:** remove acceptance step on release ([#2882](#2882)) ([73496c6](73496c6)) * **rulesets:** use uri-reference for openIdConnectUrl ([#2796](#2796)) ([c57eb59](c57eb59)) ### Features * **core:** allow extending rulesets with aliases ([#2870](#2870)) ([8db9718](8db9718)) * **core:** further adjustments for extending rulesets with aliases ([#2939](#2939)) ([26144bc](26144bc)) * **repo:** circleci migration to GHA (OP-35885) ([#2867](#2867)) ([884f079](884f079)) * **repo:** npm release workflow as gha ([#2880](#2880)) ([0147d6e](0147d6e)) * **repo:** post develop merge workflow ([#2877](#2877)) ([9420713](9420713)) * **repo:** replace skypack usage with esm cdn ([#2940](#2940)) ([0d6a910](0d6a910))
stoplight-bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
## [1.22.1](https://github.com/stoplightio/spectral/compare/@stoplight/spectral-rulesets-1.22.0...@stoplight/spectral-rulesets-1.22.1) (2026-04-13) ### Bug Fixes * **cli:** fix bug where output gets truncated when too long ([#2862](#2862)) ([0e6fd33](0e6fd33)) * **cli:** throw error if no file found to lint ([#2778](#2778)) ([3e20072](3e20072)) * **core:** fix security issue of simple-eval package ([#2886](#2886)) ([8120a76](8120a76)) * **core:** respect off severity in intermediate rulesets ([#2890](#2890)) ([5b99b99](5b99b99)) * **formatters:** Fix rendering of github actions documentationUrl ([#2895](#2895)) ([df27b06](df27b06)) * **formatters:** markdown formatter with invalid-ref crashes spectral ([#2905](#2905)) ([59728e4](59728e4)) * **functions:** export or function ([#2812](#2812)) ([03532a5](03532a5)) * **repo:** release step marking repo as save for git ([#2884](#2884)) ([87147a6](87147a6)) * **repo:** remove acceptance step on release ([#2882](#2882)) ([73496c6](73496c6)) * **ruleset-migrator:** fix ruleset migrator output when a rule name contains '/' ([#2859](#2859)) ([115d1d0](115d1d0)) * **rulesets:** use uri-reference for openIdConnectUrl ([#2796](#2796)) ([c57eb59](c57eb59)) ### Features * **core:** allow extending rulesets with aliases ([#2870](#2870)) ([8db9718](8db9718)) * **core:** further adjustments for extending rulesets with aliases ([#2939](#2939)) ([26144bc](26144bc)) * **repo:** circleci migration to GHA (OP-35885) ([#2867](#2867)) ([884f079](884f079)) * **repo:** npm release workflow as gha ([#2880](#2880)) ([0147d6e](0147d6e)) * **repo:** post develop merge workflow ([#2877](#2877)) ([9420713](9420713)) * **repo:** replace skypack usage with esm cdn ([#2940](#2940)) ([0d6a910](0d6a910))
Collaborator
|
🎉 This PR is included in version 1.22.0 🎉 The release is available on Your semantic-release bot 📦🚀 |
stoplight-bot
pushed a commit
that referenced
this pull request
Apr 14, 2026
## [1.1.5](https://github.com/stoplightio/spectral/compare/@stoplight/spectral-runtime-1.1.4...@stoplight/spectral-runtime-1.1.5) (2026-04-14) ### Bug Fixes * **cli:** fix bug where output gets truncated when too long ([#2862](#2862)) ([0e6fd33](0e6fd33)) * **cli:** throw error if no file found to lint ([#2778](#2778)) ([3e20072](3e20072)) * **core:** fix security issue of simple-eval package ([#2886](#2886)) ([8120a76](8120a76)) * **core:** respect off severity in intermediate rulesets ([#2890](#2890)) ([5b99b99](5b99b99)) * **deps:** bump elliptic from 6.6.0 to 6.6.1 ([#2782](#2782)) ([5ff9602](5ff9602)) * **deps:** fix yarn lockfile ([e6c3b9d](e6c3b9d)) * **deps:** post lodash update changes for semantic release ([#2942](#2942)) ([bf530dd](bf530dd)) * **deps:** update spectral-core in cli ([35687cd](35687cd)) * **formatters:** Fix rendering of github actions documentationUrl ([#2895](#2895)) ([df27b06](df27b06)) * **formatters:** markdown formatter with invalid-ref crashes spectral ([#2905](#2905)) ([59728e4](59728e4)) * **functions:** export or function ([#2812](#2812)) ([03532a5](03532a5)) * **repo:** release step marking repo as save for git ([#2884](#2884)) ([87147a6](87147a6)) * **repo:** remove acceptance step on release ([#2882](#2882)) ([73496c6](73496c6)) * **repo:** replace discord link with forum link ([#2793](#2793)) ([6229442](6229442)) * **ruleset-migrator:** fix ruleset migrator output when a rule name contains '/' ([#2859](#2859)) ([115d1d0](115d1d0)) * **rulesets:** use uri-reference for openIdConnectUrl ([#2796](#2796)) ([c57eb59](c57eb59)) ### Features * **core:** add documentUrl to JS api and cli formatters ([#2443](#2443)) ([e787728](e787728)) * **core:** allow extending rulesets with aliases ([#2870](#2870)) ([8db9718](8db9718)) * **core:** further adjustments for extending rulesets with aliases ([#2939](#2939)) ([26144bc](26144bc)) * **functions:** add or function ([#2798](#2798)) ([d9ef27f](d9ef27f)) * **repo:** circleci migration to GHA (OP-35885) ([#2867](#2867)) ([884f079](884f079)) * **repo:** npm release workflow as gha ([#2880](#2880)) ([0147d6e](0147d6e)) * **repo:** post develop merge workflow ([#2877](#2877)) ([9420713](9420713)) * **repo:** replace skypack usage with esm cdn ([#2940](#2940)) ([0d6a910](0d6a910))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #[STOP-4199].
Checklist
Does this PR introduce a breaking change?
Screenshots
Screen.Recording.2026-02-10.at.12.31.07.PM.mov
If applicable, add screenshots or gifs to help demonstrate the changes. If not applicable, remove this screenshots section before creating the PR.
Additional context
Add any other context about the pull request here. Remove this section if there is no additional context.
Doc for ref :- https://smartbear.atlassian.net/wiki/spaces/Stoplight/pages/5964562454/Security+Fix+_eval+Replacement+with+expr-eval-fork