Skip to content

JSON5 vulnerability in v7.x of ember-cli-babel #512

@LucasHillDex

Description

@LucasHillDex

ember-cli-babel version 7.x is still widely used in the ember community, over 65% of downloads from npm are still on 7.x. There is a vulnerability in JSON5 being brought in from a transitive dependency of this package, that has been updated in ember-cli-babel 8.x. However it is impossible to remove version 7.x from ember projects given ember-source itself still depends on 7.x, along with many other ember community packages. I am hoping a patch version of ember 7.x could be released to remove this vulnerability.

This proposed PR should allow projects to get JSON5 0.5.1 out of their lockfiles #511

See vulnerability: https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856

The dependency chain bringing in 0.5.1:

    └─┬ ember-cli-babel 7.26.11
      └─┬ babel-plugin-module-resolver 3.2.0
        └─┬ find-babel-config 1.2.0
          └── json5 0.5.1

Screenshot 2024-04-12 at 2 37 34 PM

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions