Closed gillyb closed 1 day ago
AlvesJorge
commented
1 month ago Related issue here but relating to latest version: https://github.com/googleapis/gax-nodejs/issues/1586#issuecomment-2145581858
Whoever tackles this issue for @gillyb should keep in mind that it's not just protobufjs that needs updating but also @grpc/proto-loader proto3-json-serializer grpc/grpc-js@1.10.6 (they all have protobufjs as a dependency and potentially an version <7.2.5)
danielbankhead
commented
1 day ago This should be fixed as of:
levyeden
commented
1 day ago This was not fixed. As the issuer noted, there needs to be a 3.x.x version released without the protobufjs vulnerability. There is no such version yet. Please see example: @google-cloud/profiler which is dependent on @google-cloud/logging-min.
danielbankhead
commented
1 day ago The 3.x version of this library is no longer supported. We support previous major releases for up to 12 months:
The latest version of this library should not have the documented issue.
In version 3.6.1 of this library (gax-nodejs) in the changelog it was reported that you bumped the version of protobufjs to 7.2.4 to fix a security vulnerability in that library.
According to the CVE report of that vulnerability, it was only fixed in version 7.2.5 of protobufjs.
Can you please create a release of 3.x.x with an updated version of protobufjs without the security vulnerability ?
Thanks.