vuln prototype pollution in dependency protobufjs

a1300 commented 1 year ago

Reproduction:

git clone https://github.com/ChainSafe/js-libp2p-gossipsub
cd js-libp2p-gossipsub

git checkout 89c82f6c06ee29e0b7c84ef4165ba38ff672394c
npm ci

npm audit
# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install protobufjs@7.2.4, which is a breaking change
node_modules/protobufjs
node_modules/protons-runtime/node_modules/protobufjs

...
...
...

twoeths commented 1 year ago

should be fixed by https://github.com/ChainSafe/js-libp2p-gossipsub/issues/318

syonfox commented 1 year ago

node_modules/protobufjs
  @chainsafe/libp2p-gossipsub  >=3.5.0
  Depends on vulnerable versions of protobufjs
  node_modules/@chainsafe/libp2p-gossipsub
    helia  >=1.1.0
    Depends on vulnerable versions of @chainsafe/libp2p-gossipsub
    node_modules/helia

3 high severity vulnerabilities

here is vs 6.??

https://github.com/ChainSafe/js-libp2p-gossipsub/blob/83b8e61e700f45743940e33b8ca2c28c1e18a1d5/package.json#L94

What version of `protobufjs` should `libp2p-gossiphub` change to?

if it is fixed what version gossiphub has the fix for helia? Thanks. cool stuff guys

ChainSafe / js-libp2p-gossipsub

vuln prototype pollution in dependency protobufjs #453

What version of `protobufjs` should `libp2p-gossiphub` change to?

ChainSafe / js-libp2p-gossipsub

vuln prototype pollution in dependency protobufjs #453

What version of protobufjs should libp2p-gossiphub change to?

What version of `protobufjs` should `libp2p-gossiphub` change to?