Skip to content

feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug #1086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug #1086

wants to merge 4 commits into from

Conversation

@smoya
Copy link
Member

@smoya smoya commented Feb 12, 2025

@changeset-bot
Copy link

changeset-bot bot commented Feb 12, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 1895233

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@asyncapi/multi-parser Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@smoya smoya changed the title feat!(multi-parser): force json-path-plus to be ^10.0.7 due to security bugfix feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security bugfix Feb 12, 2025
@smoya smoya changed the title feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security bugfix feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug Feb 12, 2025
@smoya smoya force-pushed the fix/update-json-path-plus branch from 40c2e4c to 9abdfec Compare February 12, 2025 19:14
@smoya smoya mentioned this pull request Feb 12, 2025
Open
2 tasks
jonaslagoni
jonaslagoni approved these changes Feb 13, 2025
View reviewed changes
Copy link
Member

@jonaslagoni jonaslagoni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test is kinda stuck?

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 18, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@derberg
Copy link
Member

derberg commented Feb 19, 2025

tests on ubunto hang forever, like now I rerun and over 55min running

> test
> turbo run build && turbo run test
Attention:
Turborepo now collects completely anonymous telemetry regarding usage.
This information is used to shape the Turborepo roadmap and prioritize features.
You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
https://turbo.build/repo/docs/telemetry
• Packages in scope: @asyncapi/multi-parser, @asyncapi/parser
• Running build in 2 packages
• Remote caching disabled
@asyncapi/parser:build
@asyncapi/multi-parser:build
 Tasks:    2 successful, 2 total
Cached:    0 cached, 2 total
  Time:    27.44[6](https://github.com/asyncapi/parser-js/actions/runs/13396915805/job/37462920498?pr=1086#step:10:7)s 
• Packages in scope: @asyncapi/multi-parser, @asyncapi/parser
• Running test in 2 packages
• Remote caching disabled
@asyncapi/parser:build
@asyncapi/multi-parser:test

multi-parser test ran well, just @asyncapi/parser:test did not kick off at all - dunno why

@derberg
Copy link
Member

derberg commented Feb 19, 2025

maybe because of overrides the package-lock file should also be updated?

@pebo
Copy link

pebo commented Feb 19, 2025

Have you considered upgrading @stoplight/spectral-core to ^1.19.4?

With @asyncapi/parser v 3.4.0 we get:

├─ @asyncapi/parser@npm:3.4.0
│  └─ jsonpath-plus@npm:10.3.0 (via npm:^10.0.0)
│
├─ @stoplight/spectral-core@npm:1.18.3
│  └─ jsonpath-plus@npm:7.1.0 (via npm:7.1.0)
│
└─ nimma@npm:0.2.2
   └─ jsonpath-plus@npm:6.0.1 (via npm:^6.0.1)

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jun 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link

github-actions bot commented Oct 8, 2025

This pull request has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this pull request, add a comment with detailed explanation.

There can be many reasons why some specific pull request has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this pull request forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions bot added the stale label Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonaslagoni jonaslagoni jonaslagoni approved these changes

@magicmatatjahu magicmatatjahu Awaiting requested review from magicmatatjahu magicmatatjahu is a code owner

@asyncapi-bot-eve asyncapi-bot-eve Awaiting requested review from asyncapi-bot-eve asyncapi-bot-eve is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus

5 participants

@smoya @derberg @pebo @jonaslagoni