[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus

[BenjaminSchwendner]

Describe the bug.

There is a vulnerability in jsonpath-plus on versions earlier than 10.0.7.
You already merged these two PRs (#1058, #1062), making the @asyncapi/parser package migrate to a safe version.
However, the @asyncapi/multi-parser package still depends on versions of @asyncapi/multi-parser (parserapiv1 as well as parserapiv2) that use older versions of jsonpath-plus (7.2.0).

Would it be possible to release patches for 2.1.0 and 3.0.0-next-major-spec.8 of @asyncapi/parser that use the safe version of jsonpath-plus and then make @asyncapi/multi-parser use these versions?

Expected behavior

@asyncapi/multi-parser should only rely on jsonpath-plus@>10.0.7

Screenshots

Here the (relevant) output of npm why jsonpath-plus after running npm install @asyncapi/multi-parser on a blank npm package:

jsonpath-plus@7.2.0
node_modules/parserapiv1/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv1@2.1.2
  node_modules/parserapiv1
    parserapiv1@"npm:@asyncapi/parser@^2.1.0" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

jsonpath-plus@7.2.0
node_modules/parserapiv2/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from parserapiv2@3.0.0-next-major-spec.8
  node_modules/parserapiv2
    parserapiv2@"npm:@asyncapi/parser@3.0.0-next-major-spec.8" from @asyncapi/multi-parser@2.2.0
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

How to Reproduce

Install @asyncapi/multi-parser and find the versions of jsonpath-plus that got installed.

🥦 Browser

None

👀 Have you checked for similar open issues?

• I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

• I have read the Contributing Guidelines

Are you willing to work on this issue ?

None

[github-actions]

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

[6LpUkQSgQm]

Could you let me know when you expect to review the fix for this bug?

[derberg]

coming here from asyncapi/generator#1323

@jonaslagoni @magicmatatjahu @smoya any ideas how we could fix that? affected things are:

    "parserapiv1": "npm:@asyncapi/parser@^2.1.0",
    "parserapiv2": "npm:@asyncapi/parser@3.0.0-next-major-spec.8"

but damn, doing patches is a hell of a job

what about adding this to package.json:

"overrides": {
    "parserapiv1": {
      "jsonpath-plus": "^10.0.7"
    },
    "parserapiv2": {
      "jsonpath-plus": "^10.0.7"
    },
  }

since 7.2.0 changes were:

• v8 only breaking change was node14 requirement
• v9 changes to eval and evaluate
• v10 node18 requirement

the only thing is that adding such override, we would need to release new major for multi-parser as for now in package.json we do not have any info about node version requirements. So we need new version and below:

  "engines": {
    "node": ">=18"
  }

@jonaslagoni @magicmatatjahu @smoya wdyt?

[shwetd19]

Hey @derberg @jonaslagoni @magicmatatjahu @smoya @BenjaminSchwendner

The suggested approach using overrides seems like a reasonable solution given the complexity of patching multiple nested dependencies.

I agree that this warrants a major version bump for multi-parser since we'd be enforcing Node.js 18+ through the jsonpath-plus v10 dependency, making a breaking change for environments using older Node.js versions, and it's better to be explicit about the Node.js requirement in package.json.

For the next steps, I suggest we create a new major version of multi-parser (v3.0.0), add the overrides for jsonpath-plus >=10.0.7, add the Node.js engine requirement, update documentation to clearly communicate the Node.js version requirement, and add a migration guide for users who need to upgrade.