ember-cli-babel version 7.x is still widely used in the ember community, over 65% of downloads from npm are still on 7.x. There is a vulnerability in JSON5 being brought in from a transitive dependency of this package, that has been updated in ember-cli-babel 8.x. However it is impossible to remove version 7.x from ember projects given ember-source itself still depends on 7.x, along with many other ember community packages. I am hoping a patch version of ember 7.x could be released to remove this vulnerability.
This proposed PR should allow projects to get JSON5 0.5.1 out of their lockfiles #511
See vulnerability: https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856
The dependency chain bringing in 0.5.1:
└─┬ ember-cli-babel 7.26.11
└─┬ babel-plugin-module-resolver 3.2.0
└─┬ find-babel-config 1.2.0
└── json5 0.5.1
ember-cli-babel version 7.x is still widely used in the ember community, over 65% of downloads from npm are still on 7.x. There is a vulnerability in JSON5 being brought in from a transitive dependency of this package, that has been updated in ember-cli-babel 8.x. However it is impossible to remove version 7.x from ember projects given ember-source itself still depends on 7.x, along with many other ember community packages. I am hoping a patch version of ember 7.x could be released to remove this vulnerability.
This proposed PR should allow projects to get JSON5 0.5.1 out of their lockfiles #511
See vulnerability: https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856
The dependency chain bringing in 0.5.1: