Update bfj to fix CVE-2026-1615

[nfy-sg]

Issue

• The following issue has been found in jsonpath (https://www.cve.org/CVERecord?id=CVE-2026-1615)
• contentful-export uses bfj@8.0.0 which uses jsonpath@1.1.1 - this contains the CVE vulnerability.

Solution

• The CVE has been fixed in jsonpath@1.2.0.
• bfj has fixed it by removing jsonpath as a dependency. (https://gitlab.com/philbooth/bfj/-/blob/master/HISTORY.md#913)
• Please update bfj in contentful-export and then make new releases for contentful-cli and other packages that uses this.

[whitelisab]

Niels Fyhring (@nfy-sg) Thanks for reporting this! We have a ticket in our backlog to get this updated and will reach back out when it's resolved.

[whitelisab]

Thanks again for opening this issue. This has been released on v7.22.4, I will go ahead and close this issue now.

[nfy-sg]

Lisa White (@whitelisab) are you also able to update the downstream packages like contentful-cli?

[whitelisab]

Niels Fyhring (@nfy-sg) It has now been released on v3.10.4 of contentful-cli

[nfy-sg]

Thank you for the quick update.