Several dependencies still use babel-core@6.XX that uses JSON5 in an vulnerable version

[renebaudisch]

Type of issue

Security vulnerability

Description

A scan of the node_modules folder of Prebis.js revealed a major security issue.
The library json5 version 0.5.1 was detected in NPM library manager located at
./Prebid.js/node_modules/babel-core/node_modules/json5/package.json
and is vulnerable to CVE-2022-46175, which exists in versions < 1.0.2.
See also GHSA-9c47-m6qq-7p4h

This is not because of the babel-core used by Prebid.js itself but by it's dependencies,
like babel-register as mentioned in ISSUE 12010 but also coming through e.g. eslint-plugin-import.
This shows all packages that in itself depend on babel-core@6.XX:

Platform details

This affects at leastv9 (latest) of Prebid.js

Other information

Partly already mentioned in:
ISSUE 12010

[dgirardi]

Is this not a duplicate of #12010 ?

demetrio@pbws2:~/src/Prebid.js$ npm ls json5@0.5.1
prebid.js@9.13.0-pre /home/demetrio/src/Prebid.js
└─┬ babel-register@6.26.0
  └─┬ babel-core@6.26.3
    └── json5@0.5.1

babel-register a dev dependency and does not affect prebid at runtime, same as in #12010. Do you have reason to think otherwise?

[renebaudisch]

more or less, it seems to be related to more then just "babel-register", but does that matter? It should be fixed anyway...
But you will surely see in the PR I did.