googleapis
Vulnerability in dependency (google-gax > protobufjs)
There is a critical vulnerability in protobujs. It's causing npm audit to fail and causing many CI/CD pipelines to fail. When should we expect a new version with the fixed dependency?
Could someone help with accelerating this internally at Google? 🙄
https://github.com/googleapis/gax-nodejs/issues/1586
Thanks for opening this issue! @scaryguy Is this issue for @google-cloud/logging-min or @google-cloud/logging?
@cindy-peng I believe this is for @google-cloud/logging-min as it is dependent on a major version of google-gax (3.6.1) that is no longer supported and will stay vulnerable (per this issue). This is related to #1496.
Would be great to get a new release that upgrades google-gax to a version that depends on protobufjs >7.2.4, due to CVE-2023-36665
@cindy-peng any news? googleapis/cloud-profiler-nodejs has been vulnerable for months now.
I tried to get cloud-profiler-nodejs eyes on this as well here: https://github.com/googleapis/cloud-profiler-nodejs/issues/937
The slow turn around on this is really frustrating.
So sorry about the late response!There seems to have been an issue with our post-publish process, which prevented the @google-cloud/logging-min package from being released alongside the @google-cloud/logging package. Currently I have published a newer version of @google-cloud/logging-min: https://www.npmjs.com/package/@google-cloud/logging-min?activeTab=readme
Could you try and let me know if that resolves the vulnerability?
So sorry about the late response!There seems to have been an issue with our post-publish process, which prevented the
@google-cloud/logging-minpackage from being released alongside the@google-cloud/loggingpackage. Currently I have published a newer version of@google-cloud/logging-min: https://www.npmjs.com/package/@google-cloud/logging-min?activeTab=readmeCould you try and let me know if that resolves the vulnerability?
Thanks for the publish @cindy-peng! But the package @googleapis/cloud-profiler-nodejs is dependent on ^10.0.0. We need to either release missing previous versions of logging-min or update the profiler to depend on ^11.0.0. https://github.com/googleapis/cloud-profiler-nodejs/issues/937
So sorry about the late response!There seems to have been an issue with our post-publish process, which prevented the
@google-cloud/logging-minpackage from being released alongside the@google-cloud/loggingpackage. Currently I have published a newer version of@google-cloud/logging-min: https://www.npmjs.com/package/@google-cloud/logging-min?activeTab=readme Could you try and let me know if that resolves the vulnerability?Thanks for the publish @cindy-peng! But the package @googleapis/cloud-profiler-nodejs is dependent on
^10.0.0. We need to either release missing previous versions of logging-min or update the profiler to depend on^11.0.0. googleapis/cloud-profiler-nodejs#937
It looks like@google-cloud/logging-min shares the version with @google-cloud/logging, not sure if we can publish a missing version here. @aabmass is it possible to update the profiler dependency? https://github.com/googleapis/cloud-profiler-nodejs/issues/937