Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[V2] Pulls in a vulnerable version of `protobufjs` via `google-gax`

See original GitHub issue

Environment details

@google-cloud/pubsub version: 2.19.4
any platform

Steps to reproduce

npm install @google-cloud/pubsub@2
npm list protobufjs

`-- @google-cloud/pubsub@2.19.4
  `-- google-gax@2.30.3
    +-- @grpc/proto-loader@0.6.9
    | `-- protobufjs@6.11.2  deduped
    +-- proto3-json-serializer@0.1.9
    | `-- protobufjs@6.11.2  deduped
    `-- protobufjs@6.11.2

The latest @google-cloud/pubsub@2 is 2.19.4, which depends on exactly google-gax@2.30.3, which depends on exactly protobufjs@6.11.2, which has CVE-2022-25878.

The CVE is resolved in protobufjs@6.11.3, and google-gax upgraded to protobufjs@6.11.3 with google-gax@2.30.5. So, @google-cloud/pubsub@2 can upgrade to google-gax@2.30.5 to fix this. I would open a PR to do this myself but I was unable to find your v2 branch.

Issue Analytics

State:
Created a year ago
Reactions:3
Comments:6

Top GitHub Comments

1reaction

samstefancommented, Jun 23, 2022

Hi @feywind @nakamuloud, I can see a pull request was opened for this and then closed. Would it be ok if I made a pull request for the gax version to help get this done?

0reactions

feywindcommented, Sep 28, 2022

I spent a fairly substantial amount of time yesterday, doing my best to get the v2 branch up and going with CI and all, and I did get that working. But what I found is that several of the dependencies deep in the tree had moved on, and were requesting things that require a newer Node engine, in a minor. So I can no longer even npm i on these things.

I’m having a conversation with some people who are smarter about npm than me 😃 so I hope we can do something more sensible for legacy-v3 when it happens. I think there’s a new tool in npm for overriding dependencies that might help, but it’s not in Node 10/npm v6.

Top Results From Across the Web

protobufjs@6.11.2 - Snyk Vulnerability Database

Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype . This ......

Compare Versions | @xapp/ovai-cli | npm | Open Source Insights

We found errors while resolving dependencies that may result in an incomplete or inaccurate dependency graph. Show details. could not find a version...

Long cold start times for Node.js programs with gRPC ...

Cold Start performance issues seem to correlate closely with gRPC libraries ... has a gRPC dependency, which pulls in grpc-js, protobufjs, and google-gax....

https://raw.githubusercontent.com/googleapis/nodej...

Pull without the deprecated return_immediately field. ... Bug Fixes * GoogleAdsError missing using generator version after 1.3.0 ...

CVE-2022-25878 Detail - NVD

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution ... setParsedOption functions 2. by parsing/loading .proto files.