generator icon indicating copy to clipboard operation
generator copied to clipboard

Published 20 hours ago verified publisher icon asyncapi

[BUG] Snyk vulnerability in version asyncapi/generator 2.5.0

Open Divya-hub-dot opened this issue 11 months ago • 6 comments

Describe the bug.

A critical vulnerability has been reported for the package jsonpath-plus, which originates from @asyncapi/[email protected]. To address this, we have upgraded @asyncapi/generator to versions 2.4.0 and even tested with the latest version 2.5.0. However, the issue persists along the following dependency path:

lib@* › @asyncapi/[email protected] › @asyncapi/[email protected][email protected]

To resolve this, jsonpath-plus needs to be upgraded to version 10.2.0, but unfortunately, we are not able to do it, so could you please help us to upgrade jsonpath-plus to 10.2.0 or can you guide how it can be done..

Expected behavior

Snyk vulnerabilities should not appear on the snyk board under below mentioned path: image

How to Reproduce

  1. As suggested in SNYK org, I have upgraded @asyncapi/generator to versions 2.4.0 but still snyk vuln was showing up
  2. I then upgraded to 2.5.0 which is the latest version of @asyncapi/generator
  3. but still Vul is showing up in SNYK org and it is suggesting upgrading jsonpath-plus to 10.2.0
  4. so need help/suggestion on upgrading jsonpath-plus to 10.2.0

🥦 Browser

None

👀 Have you checked for similar open issues?

  • [X] I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

Are you willing to work on this issue ?

None

Divya-hub-dot avatar Dec 10 '24 08:12 Divya-hub-dot

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

github-actions[bot] avatar Dec 10 '24 08:12 github-actions[bot]

thanks for the issue, not a fix we should do in generator, only as last resort, lets first try in https://github.com/asyncapi/parser-js/issues/1065#issuecomment-2536377521

derberg avatar Dec 11 '24 15:12 derberg

Hi @derberg asyncapi/generator & asyncapi/parser-js** both are same ??

asos-pareshjadhav avatar Dec 17 '24 04:12 asos-pareshjadhav

@asos-pareshjadhav in what sense? I don't get your question, need more context

derberg avatar Dec 17 '24 08:12 derberg

This issue has been automatically marked as stale because it has not had recent activity :sleeping:

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience :heart:

github-actions[bot] avatar Apr 17 '25 00:04 github-actions[bot]

still valid

derberg avatar Jun 25 '25 13:06 derberg

@derberg I am interested in resolving this issue.

SanidhyaMadheshia avatar Sep 08 '25 21:09 SanidhyaMadheshia

go ahead, there is a link to parser-js in convo of this issue where the issue should be solved first

derberg avatar Sep 09 '25 06:09 derberg