how to resolve cve CVE-2020-28052 json-schema for npm

Question

By performing a dependency check using owasp 7.0.4 on my project, which uses java for BE and JS for BFE, i got ceveral CVEs noted over 8. One is the json-schema package used by npm. This the packages configuration in the package.json:

dependency:

"json-schema": "^0.4.0"
"npm": "^7.13.0"

when calling the command npm ls json-schema to check json-schema use i got:

+-- json-schema@0.4.0
+-- lerna@4.0.0
| `-- @lerna/add@4.0.0
|   `-- pacote@11.3.5
|     `-- @npmcli/run-script@1.8.6
|       `-- node-gyp@7.1.2
|         `-- request@2.88.2
|           `-- http-signature@1.2.0
|             `-- jsprim@1.4.2
|               `-- json-schema@0.4.0 deduped
`-- npm@7.24.2
  `-- node-gyp@7.1.2
    `-- request@2.88.2
      `-- http-signature@1.2.0
        `-- jsprim@1.4.1
          `-- json-schema@0.2.3

I see that i need to somehow force npm use the latest json-schema version. Can please anyone give me a hint, if this is the right way and how to achieve it?

Update to my question: there is also a cve about npm itself: npm:7.24.2: CVE-2021-43616(9.8). So maybe by solving this the json-schema cve disappears.. — Bratar, Apr 04 '22 at 07:59

score 0 · Answer 1 · answered Apr 04 '22 at 08:07

0

Problem solved by updating npm to 8.6.0

answered Apr 04 '22 at 08:07

Bratar

19
2

how to resolve cve CVE-2020-28052 json-schema for npm

1 Answers1