New NPM version required to include static-eval security fix

[glenn-hamilton]

Currently there is a vulnerability in static-eval that has been fixed with this pull request https://github.com/substack/static-eval/pull/21. Once pull request this has been merged a new version of jsonpath will be needed.

Related NPM security advisory for static-eval https://www.npmjs.com/advisories/758

[mariocalin]

Awaiting this fix!

[goto-bus-stop]

If jsonpath can sometimes pass untrusted user input to static-eval, i recommend looking for/building a different more focused module, because this sort of thing is inherent to static-eval's domain. static-eval has to be able to deal with callbacks and stuff, which may not make sense for jsonpath (i'm not sure how static-eval is used in this project, but i assume function calls are not expected to happen).

If jsonpath only ever passes trusted input to static-eval, the vulnerability is moot. you can use static-eval2 which 'fixes' the particular vulnerability to shut npm up, although i'm certain there are other ways to trigger this behaviour.

[cript0nauta]

Hi! I'm the author of the vulnerability. I totally agree with what @goto-bus-stop said. This vuln doesn't work with the jsonpath library just because of a coincidence. But there will be other bypasses that will make jsonpath vulnerable if it stills using static-eval.

For more information about the vuln see the discussion at https://github.com/browserify/static-eval/pull/21

[pekaaw]

The new static-eval v2.0.1 is included in PR #121 . Ref: https://www.npmjs.com/advisories/758

[joebowbeer]

static-eval/pull/23 is the one that is really needed?

[gabegorelick]

This has been fixed in https://github.com/dchester/jsonpath/commit/71e77519651d85db8fa9c2cc307a23f65b6f1999.

Although if jsonpath didn't pin its dependencies to specific versions, this wouldn't be necessary.