search

protobufjs / protobuf.js

Protocol Buffers for JavaScript & TypeScript.
Other
9.75k stars 1.4k forks source link

Prototype Pollution vulnerability #1984

Open cupidchan opened 2 months ago

cupidchan commented 2 months ago

protobuf.js version: 7.0.0 - 7.2.4

Just including the package to trigger the vulnerability warning. This is related to https://github.com/advisories/GHSA-h755-8qp9-cq85 ``` functions %> npm audit fix up to date, audited 1215 packages in 1s 174 packages are looking for funding run `npm fund` for details # npm audit report protobufjs 7.0.0 - 7.2.4 Severity: critical protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85 fix available via `npm audit fix` node_modules/@google-cloud/pubsub/node_modules/protobufjs google-gax 2.2.1-pre - 2.2.1-pre.2 || 2.28.2-alpha.1 - 2.28.4-alpha.1 || 3.1.4 - 4.0.3 Depends on vulnerable versions of protobufjs node_modules/@google-cloud/pubsub/node_modules/google-gax @google-cloud/pubsub 2.11.1-pre || 3.1.1 - 3.7.5 Depends on vulnerable versions of google-gax node_modules/@google-cloud/pubsub 3 critical severity vulnerabilities To address all issues, run: npm audit fix 1 functions %> ```
mgm793 commented 2 months ago

Any news here?

ItayElgazar commented 2 months ago

Bumping here

ByteCommitter commented 1 month ago

same quesn, how can we resolve this?

joshnies commented 6 days ago

Bump, this vulnerability has been active for months now.