Security Vulnerability in `jsonpath-plus` Dependency

[A5HM49]

Description:
I am using the api package and recently encountered a critical security vulnerability caused by a transitive dependency on jsonpath-plus. This package is vulnerable to remote code execution (RCE) in versions prior to 10.0.7, as outlined in GitHub Advisory GHSA-pppg-cpfq-h7wr.

Issue:
When manually upgrading oas to 25.2.1 to mitigate the vulnerability, compatibility issues arise with @readme/api due to breaking changes introduced in oas versions between 25.0.2 and 25.2.1.

Request:
Please update the oas dependency to ^25.2.1 or later within @readme/api.

Steps to Reproduce

• Install @readme/api.
• Run npm audit to identify the vulnerability in jsonpath-plus.
• Upgrade oas to 25.2.1.
• Attempt to use @readme/api and observe compatibility issues due to breaking changes in oas.

References
GitHub Advisory GHSA-pppg-cpfq-h7wr

[A5HM49]

[dkindt]

What's the ETA for getting an updated release that would bump this or the OAS package? Who owns releasing a new version of api that can publish a release? Been waiting for this for awhile.

[A5HM49]

@erunion @domharrington BUMP

[erunion]

Sorry, we are really strapped for time on other projects. I will try to publish a new release of this, with this fix, this weekend.

[dkindt]

@erunion Appreciate the update, and the work everyone is doing. Any chance you are able to push a new release?

[erunion]

I've just pushed a new release to our next channel for 7.0.0-beta.12 that includes this fix.

Resolving the v6 series is going to be challenging because upgrading jsonpath-plus will require bumping oas from v20 to v25 and there are a few breaking changes in there, including removal of Node 16. We've already removed support for Node 16 in api on v7 so I'm going to talk with @kanadgupta and see if we can pull v7 out of the next channel this week. Folks running v6 shouldn't have any issues upgrading to that.

[erunion]

Talked with @kanadgupta and it's going to take a bit of work to pull v7 out of our next channel as we still need to update a number of areas of our documentation, potentially remove support for Node 18 in the process as it's being EOL'd in April¹, and also improve some error handling around how api handles invalid API definitions.

All that said, this definitely isn't going to happen this week as we're strapped for time on other projects and it's unfortunately been me donating personal time to this one. I'm going to try to get the invalid API definition improvement in this weekend, and see what all docs need updating but I don't really have a guarantee or a timeline for when v7 will hit the main channels.

If you are really concerned about this jsonpath-plus dependency I will say that it is only used within our oas library as part of the analyzer tool it provides. We do not use this analyzer in any areas of api, and this jsonpath-plus dependency is not loaded in any usage of api or SDKs that we generate from it.

Footnotes

1. We'd rather ship a major release of this now rather than shipping another in two months. ↩

[erunion]

I'm working to resolve the problem directly in oas@20 by swapping out jsonpath-plus for jsonpath. Hoping to get that published this week, and then I'll do another api release to upgrade it there.

Thanks for your patience, everyone.

[erunion]

I've just published v6.1.3 which includes a fix to remove this package.

Thanks all.