Vulnerability in dependancy

[rory-ferguson]

There is a vulnerability disclosed recently in a package this library is dependant on.

There is a PR to fix this here: json-schema-faker/json-schema-faker#822

I am on @stoplight/prism-cli version 5.10.0

Vulnerability is disclosed here GHSA-pppg-cpfq-h7wr

# npm audit report

jsonpath-plus  <10.0.0
Severity: critical
JSONPath Plus Remote Code Execution (RCE) Vulnerability - https://github.com/advisories/GHSA-pppg-cpfq-h7wr
fix available via `npm audit fix --force`
Will install @stoplight/prism-cli@4.4.3, which is a breaking change
node_modules/jsonpath-plus
  json-schema-faker  0.5.0-rc1 - 0.5.0-rcv.46 || >=0.5.2
  Depends on vulnerable versions of jsonpath-plus
  node_modules/json-schema-faker
    @stoplight/prism-cli  *
    Depends on vulnerable versions of @stoplight/prism-http
    Depends on vulnerable versions of @stoplight/prism-http-server
    Depends on vulnerable versions of json-schema-faker
    node_modules/@stoplight/prism-cli
    @stoplight/prism-http  >=3.0.0-alpha.0
    Depends on vulnerable versions of json-schema-faker
    node_modules/@stoplight/prism-http
      @stoplight/prism-http-server  *
      Depends on vulnerable versions of @stoplight/prism-http
      node_modules/@stoplight/prism-http-server

5 critical severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[rory-ferguson]

To be precise the vulnerability is present for the jsonpath-plus dependancy which is a dependency of json-schema-faker library that prism is dependant on.

[bo-acc]

indeed, this vulnerability is introduced via json-schema-faker. I have checked and the latest version of json-schema-faker patches jsonpath-plus https://github.com/json-schema-faker/json-schema-faker/blob/master/package.json#L103

[bo-acc]

I have raise a PR

[mnaumanali94]

This should be fixed in 5.11.1 release. Thanks @bo-acc

[bo-acc]

This should be fixed in 5.11.1 release. Thanks @bo-acc

Thank you!