Skip to content

Unreleased changes: google-gax 2.28.2-alpha.1 - 2.28.4-alpha.1 || >=3.1.4 is vulnerable to CVE-2019-10790 #255

New issue
New issue
Closed
Closed
Unreleased changes: google-gax 2.28.2-alpha.1 - 2.28.4-alpha.1 || >=3.1.4 is vulnerable to CVE-2019-10790#255
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@carboneater

Description

@carboneater
carboneater
opened on Jan 30, 2023

Current version 3.5.2 published on NPM is vulnerable to CVE-2019-10790 GHSA-mxhp-79qh-mcx6
MEND Renovate patched the affected dependencies last week, but there was no 3.5.3 released.

  1. Is this a client library issue or a product issue?
    Client library: library fails npm audit

  2. Did someone already solve this?
    MEND Renovate already did the first part in fix(deps): update dependency protobufjs to v7.2.1 gax-nodejs#1411 & fix(deps): update dependency protobufjs-cli to v1.1.0 gax-nodejs#1412
    But the changes were never released

  3. Do you have a support contract?
    Nope

Environment details

  • OS: WSL Debian Bookwork
  • Node.js version: 18.13.0
  • npm version: 8.19.3
  • google-gax version: 3.5.2

Steps to reproduce

  1. npm i google-gax
  2. npm audit

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions