Installing this lib brings in a critical vulnerability from @google-cloud/logging-min -> google-gax -> protobuf.js

[klon]

It seems this library is relying on @google-cloud/logging-min that in turn relies on an unpatched version of google-gax that has the https://github.com/googleapis/gax-nodejs/issues/1586 not fixed. npm audit fix doesn't work to resolve it.

The root cause is a critical vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36665 which I am sure is not really a problem here but it makes every vulnerability scanner scream.

This prevents us from using this library.

Environment details

• OS: macOS
• Node.js version: v20.12.0
• npm version: 10.5.0
• @google-cloud/profiler version: 6.0.1

Steps to reproduce

1. npm install @google-cloud/profiler
2. npm audit
3. npm audit fix

[dashpole]

@aabmass can you take a look?

[EvgeniyS-Planhat]

Hello guys, Should we expect the patch or should stop using Cloud Profiler?

[klon]

Any updates @aabmass ?

[aabmass]

Sorry for the slowness, I'll take a look this week

[aabmass]

It seems like the real issue is https://github.com/googleapis/nodejs-logging/issues/1496 and we just need a new release. I'll follow up internally and see if we can move this forward.

If it will not be a quick fix, I think we could move over from logging-min -> logging or remove that lib altogether. I'll try to dig up why we depend on the minified version.

[aabmass]

@google-cloud/logging-min was released https://github.com/googleapis/cloud-profiler-nodejs/pull/939

I will make a release and mark this fixed when it's out