search

pulumi / pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://www.pulumi.com/docs/guides/crossguard/
Apache License 2.0
31 stars 4 forks source link

Second protobufjs CVE requiring a major version upgrade #311

Closed catmeme closed 11 months ago

catmeme commented 11 months ago

What happened?

When installing this package, you are warned of high severity CVEs.

CVE-2022-25878 was addressed, https://github.com/advisories/GHSA-g954-5hwp-pp24

CVE-2023-36665 was not, https://github.com/advisories/GHSA-h755-8qp9-cq85

https://github.com/protobufjs/protobuf.js/issues/1741

https://github.com/pulumi/pulumi-policy/blob/master/sdk/nodejs/policy/package.json#L16

Expected Behavior

Witness no CVEs warnings when installing the package.

Steps to reproduce

npm i @pulumi/policy

Output of pulumi about

CLI          
Version      3.75.0
Go Version   go1.20.6
Go Compiler  gc

Additional context

Downgrading to 6.9.0 might also fix it.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

catmeme commented 11 months ago

Personally I went with this as a solution in the short-term, but I would expect Pulumi to address this by sorting through the upgrading of the package.

Add to package.json:

  "overrides": {
    "protobufjs": "~6.9.0"
  }
justinvp commented 11 months ago

Thanks for opening the issue and letting us know, @catmeme! This has been fixed by bumping the major version in https://github.com/pulumi/pulumi-policy/pull/313 and released as @pulumi/policy 1.7.0.