Security - Address CVE-2022-46175 in json5

[kj4ezj]

This pull request attempts to address CVE-2022-46175 - Prototype Pollution in JSON5 via Parse Method by using the resolutions field in the package.json to force yarn to select a version of this transitive dependency that has been patched for this CVE regardless of what version the parent dependency is asking for.

I believe this is a reasonable approach because the difference between what was requested and what is forced is only one or two patch versions.

-json5@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-1.0.1.tgz#779fb0018604fa854eacbf6252180d83543e3dbe"
-  integrity sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==
-  dependencies:
-    minimist "^1.2.0"
-
-json5@^2.2.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.1.tgz#655d50ed1e6f95ad1a3caababd2b0efda10b395c"
-  integrity sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==
+json5@^1.0.1, "json5@^1.0.2 || ^2.2.2", json5@^2.2.1:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
+  integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==

That being said, a better solution would be to update the parents causing the transitive dependencies requesting the old package version instead of using resolutions.

eslint-plugin-import@2.26.0 requires json5@^1.0.1 via a transitive dependency on tsconfig-paths@3.14.1
xo@0.52.4 requires json5@^1.0.1 via a transitive dependency on tsconfig-paths@3.14.1

See Also

• AntelopeIO/github-app-token-action pull request 4

[kj4ezj]

Closing in favor of pull request 57.