CVE-2020-7768 - Githubissues

chrisui commented 2 years ago

Hello!

Vote on this issue by adding a 👍 reaction
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

Steps to reproduce

npm i @pulumi/policy
Get dependabot alerts refe

Expected: No issues Actual: Get github dependabot alert https://github.com/advisories/GHSA-pp75-xfpw-37g9

% npm ls @grpc/grpc-js
monorepo@0.1.0 /monorepo
├─┬ @pulumi/policy@v1.3.0
│ └── @grpc/grpc-js@0.6.18
└─┬ @pulumi/pulumi@3.21.0
  └── @grpc/grpc-js@1.3.8

% npm ls @pulumi/policy
monorepo@0.1.0 monorepo
├─┬ @pulumi/awsguard@v0.3.0
│ └── @pulumi/policy@v1.3.0 deduped
└── @pulumi/policy@v1.3.0

chrsmith commented 2 years ago

It looks like this was fixed in the @pulumi/policy repo a while ago, but we just haven't shipped it. So as a workaround you we can sync to @pulumi/policy 1.4.0-alpha.1638209268... but we should just cut a new release of that library. (And update our dependency to the newer, fixed version.)

justinvp commented 2 years ago

We've released v1.4.0 of @pulumi/policy which has the updated @grpc/grpc-js dependency.

pulumi / pulumi-policy-aws

CVE-2020-7768 #83

Hello!

Issue details

Steps to reproduce