protobufjs Prototype Pollution vulnerability #502

pvlugter · 2023-07-20T03:39:44Z

# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/protobufjs
  @grpc/proto-loader  0.6.0-pre1 - 0.6.13
  Depends on vulnerable versions of protobufjs
  node_modules/@grpc/proto-loader
    @grpc/grpc-js  1.4.0 - 1.6.7
    Depends on vulnerable versions of @grpc/proto-loader
    node_modules/@grpc/grpc-js

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The text was updated successfully, but these errors were encountered:

pvlugter · 2023-07-20T03:43:35Z

Bumping to protobufjs 7 will be a breaking change. Also a separate package for the CLI:

protobufjs 7.0.0 removes pbjs #398

Upgrading to protobufjs 7 would also allow addressing other issues:

pvlugter added kalix-runtime Runtime and SDKs sub-team javascript-sdk labels Jul 20, 2023

pvlugter mentioned this issue Jul 21, 2023

Auto PR - Bump Proxy version to 1.1.16 #501

Merged

pvlugter mentioned this issue Aug 21, 2023

bump: update protobufjs to 6.11.4 #504

Merged

pvlugter closed this as completed in #504 Aug 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

protobufjs Prototype Pollution vulnerability #502

protobufjs Prototype Pollution vulnerability #502

pvlugter commented Jul 20, 2023

pvlugter commented Jul 20, 2023

protobufjs Prototype Pollution vulnerability #502

protobufjs Prototype Pollution vulnerability #502

Comments

pvlugter commented Jul 20, 2023

pvlugter commented Jul 20, 2023