Skip to content

Dependency update: cms-tina example pulls vulnerable jsonpath-plus (C… #89405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
i5d6 wants to merge 1 commit into
base: canary
Choose a base branch
from
Open

Dependency update: cms-tina example pulls vulnerable jsonpath-plus (C… #89405

i5d6 wants to merge 1 commit into from
+1 −1

Conversation

@i5d6
Copy link

@i5d6 i5d6 commented Feb 2, 2026

Summary

The examples/cms-tina project depends on a vulnerable version of jsonpath-plus affected by CVE-2024-21534 (Critical RCE).
This dependency is introduced transitively through @tinacms/cli@^0.60.16.

Affected Location

  • examples/cms-tina/package.json
"dependencies": {
  "@tinacms/cli": "^0.60.16"
}

@i5d6
Dependency update: cms-tina example pulls vulnerable jsonpath-plus (C…
acf1b45 
…VE-2024-21534) via @tinacms/cli

Updated the dependencies in package.json to include @JSONPath-Plus.
@nextjs-bot nextjs-bot added the examples Issue was opened via the examples template. label Feb 2, 2026
@nextjs-bot
Copy link
Collaborator

nextjs-bot commented Feb 2, 2026

Allow CI Workflow Run

  • approve CI run for commit: acf1b45

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

vercel[bot]
vercel bot reviewed Feb 2, 2026
View reviewed changes
examples/cms-tina/package.json
},
"dependencies": {
"@tinacms/cli": "^0.60.16",
"@jsonpath-plus@": "^10.2.0",
Copy link
Contributor

@vercel vercel bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Malformed package name "@JSONPath-Plus@" and missing @tinacms/cli dependency breaks tinacms CLI scripts

Fix on Vercel

Copy link
Author

@i5d6 i5d6 Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Malformed package name "https://github.com/JSONPath-Plus@" and missing @tinacms/cli dependency breaks tinacms CLI scripts

Observed Behavior

During dependency installation and script execution, the TinaCMS CLI pulls an outdated transitive dependency chain that resolves [email protected].

  • This dependency:

  • Is affected by CVE-2024-21534 (Critical RCE)

  • Causes unexpected behavior during package resolution

Results in malformed package name references such as @JSONPath-Plus@ during CLI execution or dependency resolution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

examples Issue was opened via the examples template.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@i5d6 @nextjs-bot