search

lightbend / kalix-javascript-sdk

JavaScript and TypeScript SDKs for Kalix
https://docs.kalix.io/javascript/index.html
Apache License 2.0
22 stars 21 forks source link

protobufjs Prototype Pollution vulnerability #502

Closed pvlugter closed 1 year ago

pvlugter commented 1 year ago 
# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install protobufjs@7.2.4, which is a breaking change
node_modules/protobufjs
  @grpc/proto-loader  0.6.0-pre1 - 0.6.13
  Depends on vulnerable versions of protobufjs
  node_modules/@grpc/proto-loader
    @grpc/grpc-js  1.4.0 - 1.6.7
    Depends on vulnerable versions of @grpc/proto-loader
    node_modules/@grpc/grpc-js

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
pvlugter commented 1 year ago

Bumping to protobufjs 7 will be a breaking change. Also a separate package for the CLI:

Upgrading to protobufjs 7 would also allow addressing other issues: