Security vulnerability due to outdated google-auth-library dependency

[jankratochvilcz]

Running npm run audit results in a high-severity vulnerability

High            Prototype Pollution in node-forge                             

  Package         node-forge                                                    

  Patched in      >= 0.10.0                                                     

  Dependency of   @assistant/conversation                                       

  Path            @assistant/conversation > google-auth-library > gtoken >      
                  google-p12-pem > node-forge                                   

  More info       https://npmjs.com/advisories/1561     

The core issue appears to be the usage of an obsoleted version of the "google-auth-library": "^5.10.1" dependency which prevents us from updating the node-forge upstream dependency.

[Fleker]

Thanks for identifying this.

[jankratochvilcz]

Please let me know how can I help here and at which point you could take a look into this further. Our CI is strict about high-severity vulnerabilities, so I could take a swing at migrating to the new library version as well. There are some non-specified breaking changes awaiting in v6 ref, but maybe they won't be a problem.

Let me know how you'd like to proceed here.

[Fleker]

My plan for this library is to try updating the auth-library to v6 and run tests/sample. I don't believe there'd be any breakages, or if so they'd be minimal.

[jankratochvilcz]

Thanks @Fleker, appreciate it! If you could give me a rough estimate of when you could take a look it'd help us plan on our side :-)

[Fleker]

I hope to have an update before the week's end.

[jankratochvilcz]

Appreciate the fast turnaround here, thanks!