Closed catmeme closed 11 months ago
Personally I went with this as a solution in the short-term, but I would expect Pulumi to address this by sorting through the upgrading of the package.
Add to package.json
:
"overrides": {
"protobufjs": "~6.9.0"
}
Thanks for opening the issue and letting us know, @catmeme! This has been fixed by bumping the major version in https://github.com/pulumi/pulumi-policy/pull/313 and released as @pulumi/policy
1.7.0.
What happened?
When installing this package, you are warned of high severity CVEs.
CVE-2022-25878 was addressed, https://github.com/advisories/GHSA-g954-5hwp-pp24
CVE-2023-36665 was not, https://github.com/advisories/GHSA-h755-8qp9-cq85
https://github.com/protobufjs/protobuf.js/issues/1741
https://github.com/pulumi/pulumi-policy/blob/master/sdk/nodejs/policy/package.json#L16
Expected Behavior
Witness no CVEs warnings when installing the package.
Steps to reproduce
Output of
pulumi about
Additional context
Downgrading to 6.9.0 might also fix it.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).