protobufjs Security vulnerability still exists in v3.6.1

[gillyb]

In version 3.6.1 of this library (gax-nodejs) in the changelog it was reported that you bumped the version of protobufjs to 7.2.4 to fix a security vulnerability in that library.

According to the CVE report of that vulnerability, it was only fixed in version 7.2.5 of protobufjs.
Can you please create a release of 3.x.x with an updated version of protobufjs without the security vulnerability ?

Thanks.

[AlvesJorge]

Related issue here but relating to latest version:
#216

Whoever tackles this issue for @gillyb should keep in mind that it's not just protobufjs that needs updating but also @grpc/proto-loader proto3-json-serializer grpc/grpc-js@1.10.6 (they all have protobufjs as a dependency and potentially an version <7.2.5)

[danielbankhead]

This should be fixed as of:

• chore(deps): update dependency protobufjs to v7.3.2 gax-nodejs#1617
• fix: update various dependencies and linting gax-nodejs#1622

[levyeden]

This was not fixed. As the issuer noted, there needs to be a 3.x.x version released without the protobufjs vulnerability. There is no such version yet. Please see example: @google-cloud/profiler which is dependent on @google-cloud/logging-min.

[danielbankhead]

The 3.x version of this library is no longer supported. We support previous major releases for up to 12 months:

• https://opensource.google/documentation/policies/library-breaking-change

The latest version of this library should not have the documented issue.