Could you help remove the high severity vulnerability introduced in your package?

[paimon0715]

Hi ,@alexander-fenster @summer-ji-eng , I’d like to report a high severity vulnerability in your package:

Issue Description

A vulnerability (high severity) CVE-2020-7768 in package @grpc/grpc-js<1.1.8 is transitively referenced by google-gax@1.15.3. We noticed that such vulnerability has been removed since google-gax@2.6.2-beta.0.

However, google-gax's popular previous version google-gax@1.15.3 (240,523 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 780 downstream projects, e.g., @xapp/ovai-cli 1.33.21, @sentrei/common 1.131.0, @sentrei/web 1.131.0, @xapp/stentor-service-analytics 1.33.20, @sentrei/ui 1.131.0, @fbg/common-models@1.1.4 and loopback-rediscache-models@2.3.7, etc.). As such, issue CVE-2020-7768 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade google-gax from version 1.15.3 to >=2.6.2-beta.0 . For instance, google-gax@1.15.3 is introduced into the above projects via the following package dependency paths:
(1) @fbg/common-models@1.1.4 ➔ @fbg/errors@1.0.3 ➔ @fbg/logger@1.0.2 ➔ @google-cloud/logging-winston@3.0.6 ➔ @google-cloud/logging@7.3.0 ➔ google-gax@1.15.3 ➔ @grpc/grpc-js@1.0.5
(2) loopback-rediscache-models@2.3.7 ➔ google-pubsub-wrapper@2.3.0 ➔ @google-cloud/pubsub@1.7.3 ➔ google-gax@1.15.3 ➔ @grpc/grpc-js@1.0.5
........

The projects such as @fbg/logger and google-pubsub-wrapper which introduced google-gax@1.15.3 are not maintained anymore. These unmaintained packages can neither upgrade google-gax nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package google-gax@1.15.3?

Suggested Solution

Since these unactive projects set a version constaint ~1.15.* for google-gax on the above vulnerable dependency paths, if google-gax removes the vulnerability from 1.15.3 and releases a new patched version google-gax@1.15.4,
such a vulnerability patch can be automatically propagated into the 780 affected downstream projects.

In google-gax@1.15.4, you can kindly try to perform the following upgrade:
@grpc/grpc-js ~1.0.3 ➔ ~1.1.8;
Note:
@grpc/grpc-js@1.1.8 (>=1.1.8) has fixed the vulnerability CVE-2020-7768

Thank you for your help.

Sincerely yours,
Paimon

[summer-ji-eng]

Thanks for the feedback. We will take a look and keep posted here.

[paimon0715]

@summer-ji-eng Thanks for your help. As a popular library version (240,523 downloads per week), if gax-nodejs can release a patch versoin google-gax@1.15.4, it can definitively remove the security threats to ten thousands of dependency paths.

Best regards

[summer-ji-eng]

@paimon0715 We released to v1.15.4 with latest @grpc-grpcjs. Close this issue. Feel free to reach out if you have further question.

Thanks @alexander-fenster helping on publish this new version.