search

googleapis / nodejs-pubsub

Node.js client for Google Cloud Pub/Sub: Ingest event streams from anywhere, at any scale, for simple, reliable, real-time stream analytics.
https://cloud.google.com/pubsub/
Apache License 2.0
516 stars 227 forks source link

CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4 #1909

Closed aramikuto closed 2 months ago

aramikuto commented 2 months ago

Protobufjs was updated to version 7.2.4 in https://github.com/googleapis/gax-nodejs/issues/1466 to address the CVE-2023-36665 vulnerability. However, it has been discovered that version 7.2.4 remains vulnerable. The latest version of firebase-tools (v13.7.2 at the monent) still relies on version ^3.6.1 of this package as a peer dependency.

Is it possible to release a patched 3.x version with protobufjs 7.2.5, where the vulnerability has been resolved?

├─ firebase-tools@npm:13.7.2 (via npm:^13.7.2)
│  └─ @google-cloud/pubsub@npm:3.7.5 (via npm:^3.0.1)
│     └─ google-gax@npm:3.6.1 (via npm:^3.6.1)
│        ├─ @grpc/grpc-js@npm:1.8.21 (via npm:~1.8.0)
│        │  └─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ proto3-json-serializer@npm:1.1.1 (via npm:^1.0.0)
│        │  └─ protobufjs@npm:7.2.6 (via npm:^7.0.0)
│        └─ protobufjs@npm:7.2.4 (via npm:7.2.4)
aramikuto commented 2 months ago

I opened the issue in the wrong repository, so I will reopen it in googleapis/gax-nodejs

grex-gh commented 2 months ago

Could this be resolved? I'm also experiencing CVE-2023-36665 issues. Could you please bump protobufjs package to a version which doesn't trigger security alerts.

https://github.com/advisories/GHSA-h755-8qp9-cq85