-
Notifications
You must be signed in to change notification settings - Fork 304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(security)(RCE) Upgrade jsonpath-plus to @^10.0.0 #4770
Comments
adrsimon
changed the title
Update jsonpath-plus to @^10.0.0
Upgrade jsonpath-plus to @^10.0.0
Oct 11, 2024
adrsimon
changed the title
Upgrade jsonpath-plus to @^10.0.0
(security)(RCE) Upgrade jsonpath-plus to @^10.0.0
Oct 11, 2024
We're using pnpm and adding the following to package.json at least bumped the dependency for us, a quick ephemeral deployment shows tracing is still working however it's hard to say there aren't side-effects from this, so I would tread carefully if you're pushing this out to production. (especially ahead of the weekend)
|
For searching purposes, this relates to CVE-2024-21534 |
juancarlosjr97
added a commit
to juancarlosjr97/datadog-trace-js
that referenced
this issue
Oct 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
Snyk reported a security issue in one of my repos, because of one of the dependencies used by
dd-trace-js
.You can find the report here : https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
dd-trace-js
usesjsonpath-plus@^9.0.0
which contains a RCE.The only thing to do is upgrade the lib.
Thanks !
The text was updated successfully, but these errors were encountered: