fix(nodejs): update @grpc/proto-loader dependency to fix a vulnerability #513
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please read CONTRIBUTING.md for additional information on contributing to this repository!
What this PR does / why we need it
In commitbridge, we are importing "github.com/getoutreach/stencil-golang/pkg" and it is adding a dependency of "proto-loader" of verion 0.5.5 and this adding a dependency of "protobufjs" in yarn.lock file with version 6.8.6
Now the issue comes here, there's a vulnerability with this version of the protobufjs and you can refer this article for more details
So I need to use protobufjs versions above 6.11.4 or 7.2.4 and to do that I need to update proto-loader version
I have updated the proto-loader version to 0.7.13 in commitbridge but restencil is degrading it back to 0.5.5 due to the version mentioned in templates/_helpers.tpl file in this repository. So, I would like to update proto-loader version in templates/_helpers.tpl file so that any repository using stencil-golang or stencil-golang/pkg will not use these vulnerability versions of protobufjs.
Jira ID
FRI-4247
Notes for your reviewers