search

census-instrumentation / opencensus-node

A stats collection and distributed tracing framework
https://opencensus.io
Apache License 2.0
273 stars 97 forks source link

chore(deps): update dependency protobufjs to v7 [security] #1106

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobufjs (source) 6.11.3 -> 7.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

Release Notes

protobufjs/protobuf.js (protobufjs) ### [`v7.2.4`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#724-2023-06-23) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4) ##### Bug Fixes - do not let setProperty change the prototype ([#​1899](https://togithub.com/protobufjs/protobuf.js/issues/1899)) ([e66379f](https://togithub.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d)) ### [`v7.2.3`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#723-2023-03-27) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.2...protobufjs-v7.2.3) ##### Bug Fixes - type names can be split into multiple tokens ([#​1877](https://togithub.com/protobufjs/protobuf.js/issues/1877)) ([8817ee6](https://togithub.com/protobufjs/protobuf.js/commit/8817ee613dfcf55f7f6fa8704f3fdd3e68c0e1d8)) ### [`v7.2.2`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#722-2023-02-07) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.1...protobufjs-v7.2.2) ##### Bug Fixes - do not allow to extend same field twice to prevent the error ([#​1784](https://togithub.com/protobufjs/protobuf.js/issues/1784)) ([14f0536](https://togithub.com/protobufjs/protobuf.js/commit/14f05364a04fe1ca0bfb278b3407e058c6b5a1ab)) ### [`v7.2.1`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#721-2023-02-02) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.0...protobufjs-v7.2.1) ##### Bug Fixes - **cli:** fix relative path to Google pb files ([#​1859](https://togithub.com/protobufjs/protobuf.js/issues/1859)) ([e42eea4](https://togithub.com/protobufjs/protobuf.js/commit/e42eea4868b11f4a07934804a56683321ed191e2)) - Revert "fix: error should be thrown" ([4489fa7](https://togithub.com/protobufjs/protobuf.js/commit/4489fa771464bcb49b57149760e9cc4131e8077e)) - use bundled filename to fix common pb includes ([#​1860](https://togithub.com/protobufjs/protobuf.js/issues/1860)) ([dce9a2e](https://togithub.com/protobufjs/protobuf.js/commit/dce9a2ef92d363752e40b295b0da9bd178f82e83)) - use ES5 style function syntax ([#​1830](https://togithub.com/protobufjs/protobuf.js/issues/1830)) ([64e8936](https://togithub.com/protobufjs/protobuf.js/commit/64e8936ad9f73c68b3fa1e57857dd38323b5a745)) ### [`v7.2.0`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#720-2023-01-24) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.1.2...protobufjs-v7.2.0) ##### Features - **cli:** generate static files at the granularity of proto messages ([#​1840](https://togithub.com/protobufjs/protobuf.js/issues/1840)) ([32f2d6a](https://togithub.com/protobufjs/protobuf.js/commit/32f2d6a68b27997bd0f7619998695a9fa7a4fd70)) ##### Bug Fixes - error should be thrown ([#​1817](https://togithub.com/protobufjs/protobuf.js/issues/1817)) ([e7a3489](https://togithub.com/protobufjs/protobuf.js/commit/e7a34897a122342485468999a507626f1ea91507)) ### [`v7.1.2`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#712-2022-09-22) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.1.1...protobufjs-v7.1.2) ##### Bug Fixes - **types:** nested object can be a oneof ([#​1812](https://togithub.com/protobufjs/protobuf.js/issues/1812)) ([119d90a](https://togithub.com/protobufjs/protobuf.js/commit/119d90aa1ce14d7bff20bb1dcc1ddc4544a80c23)) ### [`v7.1.1`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#711-2022-09-09) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.1.0...protobufjs-v7.1.1) ##### Bug Fixes - add import long to the generated .d.ts ([#​1802](https://togithub.com/protobufjs/protobuf.js/issues/1802)) ([7c27b5a](https://togithub.com/protobufjs/protobuf.js/commit/7c27b5ad5d161c9f3711aa053ca704f8e1224e90)) - generate valid js code for aliased enum values ([#​1801](https://togithub.com/protobufjs/protobuf.js/issues/1801)) ([7120e93](https://togithub.com/protobufjs/protobuf.js/commit/7120e93b7980728614779c50f40877da57e3cf37)) ### [`v7.1.0`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#710-2022-08-26) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/protobufjs-v7.0.0...protobufjs-v7.1.0) ##### Features - accept unknown enum values in fromObject ([#​1793](https://togithub.com/protobufjs/protobuf.js/issues/1793)) ([ef24ae4](https://togithub.com/protobufjs/protobuf.js/commit/ef24ae4e93cf8635ff38398b37f3597e5d478330)) - valuesOptions for enums ([#​1358](https://togithub.com/protobufjs/protobuf.js/issues/1358)) ([bb6b1d4](https://togithub.com/protobufjs/protobuf.js/commit/bb6b1d4942d924bcb4ee3ad15f4823f2d9c1ab22)) ##### Bug Fixes - **deps:** update dependency glob to v8 ([#​1750](https://togithub.com/protobufjs/protobuf.js/issues/1750)) ([8303a64](https://togithub.com/protobufjs/protobuf.js/commit/8303a648bc12dcea5aa8e7efa042de39011857f9)) - extensions broke oneof ([#​1789](https://togithub.com/protobufjs/protobuf.js/issues/1789)) ([d7f501c](https://togithub.com/protobufjs/protobuf.js/commit/d7f501c49d523cda423a3ab8bcaeb59a0216b350)) - remove unused `@types/long` ([#​1785](https://togithub.com/protobufjs/protobuf.js/issues/1785)) ([0f4af83](https://togithub.com/protobufjs/protobuf.js/commit/0f4af83e4ed3cef1ec035c2833e0b06cab0bd87f)) - support for nested messages and enums within group blocks ([#​1790](https://togithub.com/protobufjs/protobuf.js/issues/1790)) ([f36d4e4](https://togithub.com/protobufjs/protobuf.js/commit/f36d4e4a2df809b47ff85f87aba319b86be90878)) - **types:** update type deps ([#​1776](https://togithub.com/protobufjs/protobuf.js/issues/1776)) ([d87978b](https://togithub.com/protobufjs/protobuf.js/commit/d87978b8eb2a176676c58379a89206b94a6d926a)) ### [`v7.0.0`](https://togithub.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#700-2022-07-08) [Compare Source](https://togithub.com/protobufjs/protobuf.js/compare/v6.11.3...protobufjs-v7.0.0) ##### ⚠ BREAKING CHANGES - drop support for Node 4, 6, 8, 10 ([#​1764](https://togithub.com/protobufjs/protobuf.js/issues/1764)) - move command line tool to a new package named protobufjs-cli ([#​1234](https://togithub.com/protobufjs/protobuf.js/issues/1234)) - encoding of empty Buffers ([#​1514](https://togithub.com/protobufjs/protobuf.js/issues/1514)) ##### Features - add --no-service option for pbjs static target ([#​1577](https://togithub.com/protobufjs/protobuf.js/issues/1577)) ([d01394a](https://togithub.com/protobufjs/protobuf.js/commit/d01394a1463062824c066b653aad53c449752202)) - add alt-comment CLI option ([#​1692](https://togithub.com/protobufjs/protobuf.js/issues/1692)) ([7558ef0](https://togithub.com/protobufjs/protobuf.js/commit/7558ef0f93177978272f68f1710144a26b63e525)) - add configurable Root.prototype.fetch ([ad3cffd](https://togithub.com/protobufjs/protobuf.js/commit/ad3cffdc5a54a7c94830674270d3386e1a2b58fc)) - add getTypeUrl method to generated code ([#​1463](https://togithub.com/protobufjs/protobuf.js/issues/1463)) ([d13d5d5](https://togithub.com/protobufjs/protobuf.js/commit/d13d5d5688052e366aa2e9169f50dfca376b32cf)) - add null-defaults option ([#​1611](https://togithub.com/protobufjs/protobuf.js/issues/1611)) ([6e713ba](https://togithub.com/protobufjs/protobuf.js/commit/6e713baf54bd987ae52cbf92a4f2742c70201dc0)) - add support for buffer configuration ([#​1372](https://togithub.com/protobufjs/protobuf.js/issues/1372)) ([101aa1a](https://togithub.com/protobufjs/protobuf.js/commit/101aa1a4f148516fdc83a74f54a229f06e24a5de)) - allow message.getTypeUrl provide custom typeUrlPrefix ([#​1762](https://togithub.com/protobufjs/protobuf.js/issues/1762)) ([8aad1dd](https://togithub.com/protobufjs/protobuf.js/commit/8aad1dd994b1fc1f23bd71adf3a81b7a5616b210)) - better comment parse ([#​1419](https://togithub.com/protobufjs/protobuf.js/issues/1419)) ([7fd2e18](https://togithub.com/protobufjs/protobuf.js/commit/7fd2e182150c9b6be9ba21e6450b6e4668ad9f82)) - move command line tool to a new package named protobufjs-cli ([#​1234](https://togithub.com/protobufjs/protobuf.js/issues/1234)) ([da34f43](https://togithub.com/protobufjs/protobuf.js/commit/da34f43ccd51ad97017e139f137521782f5ef119)) - parsed options ([#​1256](https://togithub.com/protobufjs/protobuf.js/issues/1256)) ([7a25398](https://togithub.com/protobufjs/protobuf.js/commit/7a2539843055b6daecb9f369c67a6cf588dbb54c)) - prepare initial publication of cli ([#​1752](https://togithub.com/protobufjs/protobuf.js/issues/1752)) ([64811d5](https://togithub.com/protobufjs/protobuf.js/commit/64811d5878c31e4a86a39da5fec6aea35da22fcd)) - proto3 optional support ([#​1584](https://togithub.com/protobufjs/protobuf.js/issues/1584)) ([6c4d307](https://togithub.com/protobufjs/protobuf.js/commit/6c4d30716a9a756dcdc21d64f9c9d069315fc5b1)) - support parsing of complex options ([#​1744](https://togithub.com/protobufjs/protobuf.js/issues/1744)) ([b1746a8](https://togithub.com/protobufjs/protobuf.js/commit/b1746a8c5e2b9c29644318090cc9e581f7e34b6e)) - update dependencies / general cleanup ([#​1356](https://togithub.com/protobufjs/protobuf.js/issues/1356)) ([42f49b4](https://togithub.com/protobufjs/protobuf.js/commit/42f49b43f692c24c2bc1ae081b4d1ad9fa173cd7)) ##### Bug Fixes - allow for an optional semicolon where there is an optional comma in parseOptionValue ([#​1571](https://togithub.com/protobufjs/protobuf.js/issues/1571)) ([af1b449](https://togithub.com/protobufjs/protobuf.js/commit/af1b449602b360091e191a58abde2f246d8b0f1d)) - allow Windows unc paths to be resolved and normalized ([#​1351](https://togithub.com/protobufjs/protobuf.js/issues/1351)) ([cd4aeda](https://togithub.com/protobufjs/protobuf.js/commit/cd4aeda8036f80cfa3b9f1db4096d856b2fd05fb)) - **deps:** patch minimatch vulnerability ([#​1704](https://togithub.com/protobufjs/protobuf.js/issues/1704)) ([bac61b8](https://togithub.com/protobufjs/protobuf.js/commit/bac61b8c2757804bbb9c5fa0f8bc6a7bcf0bb374)) - **deps:** update dependency long to v5 ([#​1751](https://togithub.com/protobufjs/protobuf.js/issues/1751)) ([dadc65e](https://togithub.com/protobufjs/protobuf.js/commit/dadc65e12d654f96daf83253476e55da35214904)) - **deps:** use eslint 8.x ([#​1728](https://togithub.com/protobufjs/protobuf.js/issues/1728)) ([fa01883](https://togithub.com/protobufjs/protobuf.js/commit/fa01883a0f756824d69ce92bfb012de05ff223ef)) - do not fail if no process ([#​1440](https://togithub.com/protobufjs/protobuf.js/issues/1440)) ([f2faa8c](https://togithub.com/protobufjs/protobuf.js/commit/f2faa8c32e918b3b843005f0419608b8e158998d)) - do not let setProperty change the prototype ([#​1731](https://togithub.com/protobufjs/protobuf.js/issues/1731)) ([3357ef7](https://togithub.com/protobufjs/protobuf.js/commit/3357ef753871b394b825d15429ceb27b26e24d63)) - **docs:** update CHANGELOG to match format of release-please ([#​1376](https://togithub.com/protobufjs/protobuf.js/issues/1376)) ([15ed8a0](https://togithub.com/protobufjs/protobuf.js/commit/15ed8a0fbe72b2e408b87ba25028f877796cc191)) - drop support for Node 4, 6, 8, 10 ([#​1764](https://togithub.com/protobufjs/protobuf.js/issues/1764)) ([50370dd](https://togithub.com/protobufjs/protobuf.js/commit/50370dd7747a0986e83ddbe51c54b97033af5ead)) - encoding of empty Buffers ([#​1514](https://togithub.com/protobufjs/protobuf.js/issues/1514)) ([b4cae07](https://togithub.com/protobufjs/protobuf.js/commit/b4cae07440387399e097058e15e50608a0e764fd)), closes [#​1500](https://togithub.com/protobufjs/protobuf.js/issues/1500) [#​885](https://togithub.com/protobufjs/protobuf.js/issues/885) - es6 export enum ([#​1446](https://togithub.com/protobufjs/protobuf.js/issues/1446)) ([9f33784](https://togithub.com/protobufjs/protobuf.js/commit/9f33784350b1efc2e774bbfc087cbd2c47828748)) - fix util.global ([#​1441](https://togithub.com/protobufjs/protobuf.js/issues/1441)) ([742b8dc](https://togithub.com/protobufjs/protobuf.js/commit/742b8dcbc750f9c2659088cbd88ea61fd11b24a7)) - fromObject should not initialize oneof members ([#​1597](https://togithub.com/protobufjs/protobuf.js/issues/1597)) ([90afe44](https://togithub.com/protobufjs/protobuf.js/commit/90afe4412de8070b0c0681e5905a6e0213072a85)) - google.protobuf.Any type_url fixes ([#​1068](https://togithub.com/protobufjs/protobuf.js/issues/1068)) ([192f5f1](https://togithub.com/protobufjs/protobuf.js/commit/192f5f12d071fa534ac625290d4666c839a46a9e)) - handling of map entries with omitted key or value ([#​1348](https://togithub.com/protobufjs/protobuf.js/issues/1348)) ([b950877](https://togithub.com/protobufjs/protobuf.js/commit/b950877c86676399674821fca4cf444f046b5acb)) - handling properly fields with leading and trailing comments after field with trailing comment ([#​1593](https://togithub.com/protobufjs/protobuf.js/issues/1593)) ([9011aac](https://togithub.com/protobufjs/protobuf.js/commit/9011aac161e1bf8eaa3cbf0f17e8f321b6e0d9c4)) - make node detection a bit more forgiving ([#​1445](https://togithub.com/protobufjs/protobuf.js/issues/1445)) ([4e75f6d](https://togithub.com/protobufjs/protobuf.js/commit/4e75f6de4a2e49f28c24b59107f262d472b68977)) - make parsedOptions appear in method JSON representation ([#​1506](https://togithub.com/protobufjs/protobuf.js/issues/1506)) ([3d29969](https://togithub.com/protobufjs/protobuf.js/commit/3d29969865f2119550d9dc88391846469da9fa7f)) - proper relative path to protobufjs in cli ([#​1753](https://togithub.com/protobufjs/protobuf.js/issues/1753)) ([a1d6029](https://togithub.com/protobufjs/protobuf.js/commit/a1d60292ecb22fcf89c493c562ae07ab10ef49c9)) - properly parse empty messages in options ([#​1429](https://togithub.com/protobufjs/protobuf.js/issues/1429)) ([7fbc79f](https://togithub.com/protobufjs/protobuf.js/commit/7fbc79f11d89b263dafc8f332ccba59a8d181fca)) - proto3 optional scalars should default to null in reflection API ([#​1693](https://togithub.com/protobufjs/protobuf.js/issues/1693)) ([d9144de](https://togithub.com/protobufjs/protobuf.js/commit/d9144dea611c9a1c0e01cc3e0e2491c6de5f9c97)) - replace deprecated String.prototype.substr() ([#​1701](https://togithub.com/protobufjs/protobuf.js/issues/1701)) ([e33a84a](https://togithub.com/protobufjs/protobuf.js/commit/e33a84a301eb6beaaa6a71a20756f0b5ccfb0459)) - scope variable for map field to avoid redeclaration ([#​1717](https://togithub.com/protobufjs/protobuf.js/issues/1717)) ([#​1718](https://togithub.com/protobufjs/protobuf.js/issues/1718)) ([1d3c02a](https://togithub.com/protobufjs/protobuf.js/commit/1d3c02a89ea9ad794b454d11ca2de425db4772dd)) - support for options with `repeated_value: [ "foo", "bar" ]` ([#​1574](https://togithub.com/protobufjs/protobuf.js/issues/1574)) ([f5b893c](https://togithub.com/protobufjs/protobuf.js/commit/f5b893c03e9694bbe7da7c4001cc74b06039eb9c)) - typo in pbjs help text ([#​1552](https://togithub.com/protobufjs/protobuf.js/issues/1552)) ([7f46dbe](https://togithub.com/protobufjs/protobuf.js/commit/7f46dbeb538a6277035a896e1ab5e1a070e28681)) - update minimal.js to evade override mistake ([#​1742](https://togithub.com/protobufjs/protobuf.js/issues/1742)) ([e2f33a0](https://togithub.com/protobufjs/protobuf.js/commit/e2f33a04eddbcffcbc2ae16c72ac3820410057bc)) - updated isNode check ([#​1221](https://togithub.com/protobufjs/protobuf.js/issues/1221)) ([#​1363](https://togithub.com/protobufjs/protobuf.js/issues/1363)) ([5564e7b](https://togithub.com/protobufjs/protobuf.js/commit/5564e7b5f07d3eab99762528e8ce88507af5a5a3)) - utf8 -> utf16 decoding bug on surrogate pairs ([#​1486](https://togithub.com/protobufjs/protobuf.js/issues/1486)) ([75172cd](https://togithub.com/protobufjs/protobuf.js/commit/75172cd11be137bbabd2fba7a02b15067695ebad)) ##### [6.10.2](https://www.github.com/protobufjs/protobuf.js/compare/v6.10.1...v6.10.2) (2020-11-13) ##### Bug Fixes - es6 export enum ([#​1446](https://www.togithub.com/protobufjs/protobuf.js/issues/1446)) ([9f33784](https://www.github.com/protobufjs/protobuf.js/commit/9f33784350b1efc2e774bbfc087cbd2c47828748)) - make parsedOptions appear in method JSON representation ([#​1506](https://www.togithub.com/protobufjs/protobuf.js/issues/1506)) ([3d29969](https://www.github.com/protobufjs/protobuf.js/commit/3d29969865f2119550d9dc88391846469da9fa7f)) - utf8 -> utf16 decoding bug on surrogate pairs ([#​1486](https://www.togithub.com/protobufjs/protobuf.js/issues/1486)) ([75172cd](https://www.github.com/protobufjs/protobuf.js/commit/75172cd11be137bbabd2fba7a02b15067695ebad)) ##### [6.10.1](https://www.github.com/protobufjs/protobuf.js/compare/v6.10.0...v6.10.1) (2020-07-16) ##### Bug Fixes - make node detection a bit more forgiving ([#​1445](https://www.togithub.com/protobufjs/protobuf.js/issues/1445)) ([4e75f6d](https://www.github.com/protobufjs/protobuf.js/commit/4e75f6de4a2e49f28c24b59107f262d472b68977))

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

codecov-commenter commented 1 year ago

Codecov Report

Merging #1106 (69bc42c) into master (d46c889) will increase coverage by 0.04%. The diff coverage is n/a.

:exclamation: Current head 69bc42c differs from pull request most recent head 6404c5d. Consider uploading reports for the commit 6404c5d to get more accurate results

@@            Coverage Diff             @@
##           master    #1106      +/-   ##
==========================================
+ Coverage   95.56%   95.60%   +0.04%     
==========================================
  Files         153      153              
  Lines       10924    10924              
  Branches     1042     1042              
==========================================
+ Hits        10439    10444       +5     
+ Misses        485      480       -5

see 2 files with indirect coverage changes

aabmass commented 1 year ago

This is only in a dev dependency and does not affect the published NPM packages.