chore(dependencies): bump @apidevtools/json-schema-ref-parser to 11.6.2 #256
Conversation
|
+1 to this. This old version is an issue using Node v20 |
|
ping @philsturgeon |
|
@Yasiruofficial or @kibertoad, are you able to help with this? |
|
Please be aware I have a strong feeling it was pegged to that older version due to a pesky bug which has escaped my memory, but as many of you are asking for an update on security reasons I'm going to merge this. I hope the release process happens. I hope it works. If it doesn't please shout at me a bit more bit this tool is basically abandoned and I recommend https://github.com/Redocly/redocly-cli/ these days. |
|
@philsturgeon why not use the latest 11.7.0, though? |
|
@philsturgeon maybe you would be open to invite additional maintainers and releasers, if you don't have capacity to maintain anymore? (which is very understandable) |
|
@kibertoad: thanks for the understanding! I'd be happy to. The amazing @jonluca has been working on other packages but dont want to overload them. Who fancies stepping up? Also I have no idea what version is latest or who is doing what, I just remember this package was stuck on an old version because things broke but that was years ago. I'm trying to get it working locally as Github Actions are failing but this is cutting into time for the crowdfunder im running to buy another 70 acres of woodland in Bath UK and that's stressing me out. |
|
This did not work.
That's on me for not having test checks enabled, but somebody is going to need to submit a fix for that. |
|
@philsturgeon I have plenty of packages on my plate already, but I can help with reviewing PRs and cutting releases here and there. |
|
That's what we need. I honestly couldn't tell you whats going on here so you're already more qualified. I'm cleaning my spades for another winter of planting and sharpening my chainsaw for another season of mangling rhododenrons. I couldn't care any less about this package, no offense to anyone who uses it. 🤣 |
|
@philsturgeon sounds good then, if you give me repo steward permissions and npm publish ones, I can see what I can do |
|
They did the rewrite from JS to TS in the "minor" release v10.1.0 Most things are still there, rearranged a little, but https://github.com/APIDevTools/swagger-parser/blob/8a956fa/lib/options.js here seems to be very incompatible with the |
|
Is there something I can help with? Happy to fix anything specific that comes up |
|
@jonluca Can you look into fixing CI? master seems to be failing :-/. and adding recent Node versions into the mix would be great |
|
I've fixed CI and cleaned up some of the stuff that was super broken. I think it probably makes sense to release this as a breaking change since there were so many small differences in json-schema-ref-parser though. |
|
@jonluca thank you! |
A dependency used in this project @apidevtools/json-schema-ref-parser is vulnerable to a prototype pollution attack, as listed in https://nvd.nist.gov/vuln/detail/CVE-2024-29651 - GHSA-5f97-h2c2-826q
This PR bumps the dependency to prevent any vulnerabilities.
Closes #255
References
https://ossindex.sonatype.org/vulnerability/CVE-2024-29651
GHSA-5f97-h2c2-826q
APIDevTools/json-schema-ref-parser@8cad7f7
https://nvd.nist.gov/vuln/detail/CVE-2024-29651