Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(nodejs): update @grpc/proto-loader dependency to fix a vulnerability #513

Closed
wants to merge 3 commits into from
Closed

fix(nodejs): update @grpc/proto-loader dependency to fix a vulnerability #513

wants to merge 3 commits into from

Conversation

surya-vl
Copy link

@surya-vl surya-vl commented May 31, 2024
edited by jira bot
Loading

Please read CONTRIBUTING.md for additional information on contributing to this repository!

What this PR does / why we need it

In commitbridge, we are importing "github.com/getoutreach/stencil-golang/pkg" and it is adding a dependency of "proto-loader" of verion 0.5.5 and this adding a dependency of "protobufjs" in yarn.lock file with version 6.8.6
Now the issue comes here, there's a vulnerability with this version of the protobufjs and you can refer this article for more details
So I need to use protobufjs versions above 6.11.4 or 7.2.4 and to do that I need to update proto-loader version
I have updated the proto-loader version to 0.7.13 in commitbridge but restencil is degrading it back to 0.5.5 due to the version mentioned in templates/_helpers.tpl file in this repository. So, I would like to update proto-loader version in templates/_helpers.tpl file so that any repository using stencil-golang or stencil-golang/pkg will not use these vulnerability versions of protobufjs.

Jira ID

FRI-4247

Notes for your reviewers

@surya-vl surya-vl requested a review from a team as a code owner May 31, 2024 03:10
@malept
Copy link
Member

malept commented Jun 3, 2024

  1. Why is the change needed?
  2. Why does this PR require a restencil?
  3. This change affects every single service which provides a Node.JS gRPC client. This needs to be validated that it won't break anyone.
  4. The dependency in question is a pre-1.0 release that is two minor version bumps (it goes from 0.5 to 0.7). What are the changes? Are any of the changes breaking changes? If so, how do they affect our usage of the dependency?

@surya-vl
Copy link
Author

surya-vl commented Jun 3, 2024
edited
Loading

  1. Why is the change needed?
  2. Why does this PR require a restencil?
  3. This change affects every single service which provides a Node.JS gRPC client. This needs to be validated that it won't break anyone.
  4. The dependency in question is a pre-1.0 release that is two minor version bumps (it goes from 0.5 to 0.7). What are the changes? Are any of the changes breaking changes? If so, how do they affect our usage of the dependency?
  1. I have updated the description with details to answer why this PR is required.
  2. This PR doesn't a requirement to do restencil, but I did that to cross-verify that restencil is not degrading the updated versions. I can revert the restencil commits if required.

@malept malept changed the title fix: update proto loader version | FRI-4247 fix(nodejs): update @grpc/proto-loader dependency to fix a vulnerability Jun 18, 2024
@malept
Copy link
Member

malept commented Jun 18, 2024

Superseded by #515

@malept malept closed this Jun 18, 2024
@malept malept deleted the FRI-4247-update-proto-loader-version branch June 18, 2024 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@surya-vl @malept