Skip to content

feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug#1086

Open
smoya wants to merge 5 commits into
masterfrom
fix/update-json-path-plus
Open

feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug#1086
smoya wants to merge 5 commits into
masterfrom
fix/update-json-path-plus

Conversation

@smoya

@smoya smoya commented Feb 12, 2025

Copy link
Copy Markdown
Member

@changeset-bot

changeset-bot Bot commented Feb 12, 2025

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: f6047c6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@asyncapi/multi-parser Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@smoya smoya changed the title feat!(multi-parser): force json-path-plus to be ^10.0.7 due to security bugfix feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security bugfix Feb 12, 2025
@smoya smoya changed the title feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security bugfix feat(multi-parser)!: force json-path-plus to be ^10.0.7 due to security fixed bug Feb 12, 2025

@jonaslagoni jonaslagoni left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test is kinda stuck?

@sonarqubecloud

Copy link
Copy Markdown

@derberg

derberg commented Feb 19, 2025

Copy link
Copy Markdown
Member

tests on ubunto hang forever, like now I rerun and over 55min running

> test
> turbo run build && turbo run test
Attention:
Turborepo now collects completely anonymous telemetry regarding usage.
This information is used to shape the Turborepo roadmap and prioritize features.
You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
https://turbo.build/repo/docs/telemetry
• Packages in scope: @asyncapi/multi-parser, @asyncapi/parser
• Running build in 2 packages
• Remote caching disabled
@asyncapi/parser:build
@asyncapi/multi-parser:build
 Tasks:    2 successful, 2 total
Cached:    0 cached, 2 total
  Time:    27.44[6](https://github.com/asyncapi/parser-js/actions/runs/13396915805/job/37462920498?pr=1086#step:10:7)s 
• Packages in scope: @asyncapi/multi-parser, @asyncapi/parser
• Running test in 2 packages
• Remote caching disabled
@asyncapi/parser:build
@asyncapi/multi-parser:test

multi-parser test ran well, just @asyncapi/parser:test did not kick off at all - dunno why

@derberg

derberg commented Feb 19, 2025

Copy link
Copy Markdown
Member

maybe because of overrides the package-lock file should also be updated?

@pebo

pebo commented Feb 19, 2025

Copy link
Copy Markdown

Have you considered upgrading @stoplight/spectral-core to ^1.19.4?

With @asyncapi/parser v 3.4.0 we get:

├─ @asyncapi/parser@npm:3.4.0
│  └─ jsonpath-plus@npm:10.3.0 (via npm:^10.0.0)
│
├─ @stoplight/spectral-core@npm:1.18.3
│  └─ jsonpath-plus@npm:7.1.0 (via npm:7.1.0)
│
└─ nimma@npm:0.2.2
   └─ jsonpath-plus@npm:6.0.1 (via npm:^6.0.1)

@sonarqubecloud

sonarqubecloud Bot commented Jun 9, 2025

Copy link
Copy Markdown

@github-actions

github-actions Bot commented Oct 8, 2025

Copy link
Copy Markdown

This pull request has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this pull request, add a comment with detailed explanation.

There can be many reasons why some specific pull request has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this pull request forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions Bot added the stale label Oct 8, 2025
@github-actions github-actions Bot closed this Feb 5, 2026
@derberg derberg reopened this Feb 5, 2026
@derberg
derberg requested a review from fmvilas as a code owner February 5, 2026 13:09
@sonarqubecloud

sonarqubecloud Bot commented Feb 5, 2026

Copy link
Copy Markdown

@github-actions github-actions Bot removed the stale label Feb 6, 2026
@shivansh-source

shivansh-source commented Feb 15, 2026

Copy link
Copy Markdown

can i try this with a new branch andd make sure test dont fail @derberg

@shivansh-source

Copy link
Copy Markdown

i feel the solution is more of a workaround then actually tackling the root cause

@github-actions

Copy link
Copy Markdown

This pull request has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this pull request, add a comment with detailed explanation.

There can be many reasons why some specific pull request has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this pull request forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

@github-actions github-actions Bot added the stale label Jun 16, 2026
@kraenhansen

Copy link
Copy Markdown
Contributor

This is solving an issue #1065 which is still a problem. @shivansh-source please suggest a better alternative approach to guide a future PR into the direction you would be willing to accept, the problem this is solving is real.

@github-actions github-actions Bot removed the stale label Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus

6 participants