chore(deps): update dependency json to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
json	9.0.6 -> 10.0.0

GitHub Vulnerability Alerts

CVE-2020-7712

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

---

Release Notes

trentm/json (json)

v10.0.0

Compare Source

• Backward incompatible and security-related change to parsing "lookup" strings.

  This version restricts the supported syntax for bracketed "lookup"
  strings to fix a possible
  vulnerability (CVE-2020-7712). With a carefully crafted lookup string,
  command injection was possible. See
  #​144 for a repro. If you use
  json (the CLI or as a node.js module) and run arbitrary user-provided
  strings as a "lookup", then you should upgrade.

  For the json CLI, a "lookup" string is the 'foo' in:

    echo ...some json... | json foo
  

  which allows you to lookup fields on the given JSON, e.g.:

    $ echo '{"foo": {"bar": "baz"}}' | json foo.bar
    baz
  

  If one of the lookup fields isn't a valid JS identifier, then the JS array
  notation is supported:

    $ echo '{"https://example.com": "my-value"}' | json '["https://example.com"]'
    my-value
  

  Before this change, json would effectively exec the string between the
  brackets as JS code such that things like the following were possible:

    $ echo '{"foo3": "bar"}' | json '["foo" + 3]'
    bar
  

  This change limits supported bracket syntax in lookups to a simple quoted
  string:

    ["..."]
    ['...']
    [`...`]      # no variable interpolation
  

  Otherwise generating an error of the form:

    json: error: invalid bracketed lookup string: "[\"foo\" + 3]" (must be of the form ['...'], ["..."], or [`...`])
  

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.