Skip to content

Update npm package jsonpath to v1.2.0 [SECURITY]#8362

Open
hash-worker[bot] wants to merge 1 commit intomainfrom
deps/js/npm-jsonpath-vulnerability
Open

Update npm package jsonpath to v1.2.0 [SECURITY]#8362
hash-worker[bot] wants to merge 1 commit intomainfrom
deps/js/npm-jsonpath-vulnerability

Conversation

@hash-worker
Copy link
Contributor

@hash-worker hash-worker bot commented Feb 5, 2026

This PR contains the following updates:

Package Change Age Confidence
jsonpath 1.1.1 -> 1.2.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-61140

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Release Notes

dchester/jsonpath (jsonpath)

v1.2.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@hash-worker hash-worker bot enabled auto-merge February 5, 2026 16:28
@vercel
Copy link

vercel bot commented Feb 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hash Ready Ready Preview, Comment Feb 5, 2026 4:41pm
3 Skipped Deployments
Project Deployment Actions Updated (UTC)
hashdotdesign Ignored Ignored Preview Feb 5, 2026 4:41pm
hashdotdesign-tokens Ignored Ignored Preview Feb 5, 2026 4:41pm
petrinaut Skipped Skipped Feb 5, 2026 4:41pm

@vercel vercel bot temporarily deployed to Preview – petrinaut February 5, 2026 16:28 Inactive
@cursor
Copy link

cursor bot commented Feb 5, 2026
edited
Loading

PR Summary

Low Risk
Dependency-only change; main risk is runtime behavior differences in jsonpath queries, with no app code modifications.

Overview
Updates the jsonpath dependency from 1.1.1 to 1.2.0 in both hash-api and hash-frontend.

Refreshes yarn.lock accordingly, pulling newer transitive versions (notably esprima, static-eval, and underscore) as part of the jsonpath upgrade to address the reported security issue.

Written by Cursor Bugbot for commit 0992959. This will update automatically on new commits. Configure here.

@github-actions github-actions bot added area/deps Relates to third-party dependencies (area) area/apps > hash* Affects HASH (a `hash-*` app) area/apps > hash-api Affects the HASH API (app) type/eng > frontend Owned by the @frontend team type/eng > backend Owned by the @backend team area/apps labels Feb 5, 2026
@augmentcode
Copy link

augmentcode bot commented Feb 5, 2026

🤖 Augment PR Summary

Summary: Updates the jsonpath dependency to address a reported prototype-pollution vulnerability.

Changes:

  • Bumped jsonpath from 1.1.1 to 1.2.0 in apps/hash-api
  • Bumped jsonpath from 1.1.1 to 1.2.0 in apps/hash-frontend

Technical Notes: This is a dependency-only change; runtime behavior should remain the same aside from incorporating upstream security fixes.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode bot reviewed Feb 5, 2026
View reviewed changes
Copy link

@augmentcode augmentcode bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

@graphite-app graphite-app bot requested review from a team February 5, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/apps > hash* Affects HASH (a `hash-*` app) area/apps > hash-api Affects the HASH API (app) area/apps area/deps Relates to third-party dependencies (area) type/eng > backend Owned by the @backend team type/eng > frontend Owned by the @frontend team

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants