Skip to content

Comments

Replace jsonpath with jsonpath-plus#329

Open
jchipmt wants to merge 1 commit intowmfs:masterfrom
jchipmt:master
Open

Replace jsonpath with jsonpath-plus#329
jchipmt wants to merge 1 commit intowmfs:masterfrom
jchipmt:master

Conversation

@jchipmt
Copy link

@jchipmt jchipmt commented Feb 27, 2025

I was trying to use the asl-choice-processor in my own state machine library, and when building I was running into issues with the jsonpath dependency, specifically because it is using require.resolve in a couple of places:

https://github.com/search?q=repo%3Adchester%2Fjsonpath%20require.resolve&type=code

This PR replaces jsonpath with jsonpath-plus, which is bundled for newer versions of node and also browsers. jsonpath-plus is not a drop in replacement so I had to update jp.query(values, inputPath) with JSONPath({path: inputPath, json: values, wrap: false}).

Tests pass after changes.

Thank you for creating and maintaining this library!

@jchipmt
Copy link
Author

jchipmt commented Feb 17, 2026

Hi. The JSONPath package is now labelled as vulnerable to Arbitrary Code Injection:

https://security.snyk.io/vuln/SNYK-JS-JSONPATH-13645034

Would you consider reviewing and merging this PR now to resolve this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant