Closed aramikuto closed 1 month ago
Same issue for @google-cloud/logging
https://github.com/googleapis/nodejs-logging/issues/1496
This causes a critical vulnerability in @google-cloud/monitoring
@google-cloud/monitoring@4.0.0
└─┬ google-gax@4.3.2
├─┬ @grpc/proto-loader@0.7.3
│ └── protobufjs@7.1.2
I'm experiencing this issue for @google-cloud/secret-manager
and @google-cloud/datastore
.
I think this is fixed in #1596
Hi @leahecole
The requirement @grpc/proto-loader
itself requires protobufjs@7.1.2
which is still affected by this critical vulnerability.
You specify "@grpc/proto-loader": "^0.7.0"
and this version still comes with the protobufjs
vulnerability. Latest published version of @grpc/proto-loader
is 0.7.13, which already has this fixed.
Please re-open this issue 🙏
Opened a PR to fix this, awaiting CODEOWNERS review
Protobufjs was updated to version 7.2.4 in https://github.com/googleapis/gax-nodejs/issues/1466 to address the CVE-2023-36665 vulnerability. However, it has been discovered that version 7.2.4 remains vulnerable. The latest version of firebase-tools (v13.7.2 at the monent) still relies on version ^3.6.1 of this package as a peer dependency.
Is it possible to release a patched 3.x version with protobufjs 7.2.5, where the vulnerability has been resolved?