Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing this lib brings in a critical vulnerability from @google-cloud/logging-min -> google-gax -> protobuf.js #937

Closed
klon opened this issue Aug 19, 2024 · 6 comments · Fixed by #929
Closed

Installing this lib brings in a critical vulnerability from @google-cloud/logging-min -> google-gax -> protobuf.js #937

klon opened this issue Aug 19, 2024 · 6 comments · Fixed by #929
Assignees
@aabmass
Labels
api: cloudprofiler Issues related to the googleapis/cloud-profiler-nodejs API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@klon
Copy link

klon commented Aug 19, 2024

It seems this library is relying on @google-cloud/logging-min that in turn relies on an unpatched version of
google-gax that has the googleapis/gax-nodejs#1586 not fixed. npm audit fix doesn't work to resolve it.

The root cause is a critical vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36665 which I am sure is not really a problem here but it makes every vulnerability scanner scream.

This prevents us from using this library.

Environment details

  • OS: macOS
  • Node.js version: v20.12.0
  • npm version: 10.5.0
  • @google-cloud/profiler version: 6.0.1

Steps to reproduce

  1. npm install @google-cloud/profiler
  2. npm audit
  3. npm audit fix
@klon klon added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Aug 19, 2024
@product-auto-label product-auto-label bot added the api: cloudprofiler Issues related to the googleapis/cloud-profiler-nodejs API. label Aug 19, 2024
@dashpole
Copy link

@aabmass can you take a look?

@klon klon mentioned this issue Aug 30, 2024
Closed
@EvgeniyS-Planhat
Copy link

Hello guys,
Should we expect the patch or should stop using Cloud Profiler?

@klon
Copy link
Author

klon commented Sep 3, 2024

Any updates @aabmass ?

@aabmass
Copy link
Collaborator

aabmass commented Sep 10, 2024

Sorry for the slowness, I'll take a look this week

@aabmass
Copy link
Collaborator

aabmass commented Sep 10, 2024

It seems like the real issue is googleapis/nodejs-logging#1496 and we just need a new release. I'll follow up internally and see if we can move this forward.

If it will not be a quick fix, I think we could move over from logging-min -> logging or remove that lib altogether. I'll try to dig up why we depend on the minified version.

@aabmass
Copy link
Collaborator

aabmass commented Sep 11, 2024
edited
Loading

@google-cloud/logging-min was released #939

I will make a release and mark this fixed when it's out

@aabmass aabmass linked a pull request Sep 11, 2024 that will close this issue
chore(main): release 6.0.2 #929
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aabmass aabmass

Labels
api: cloudprofiler Issues related to the googleapis/cloud-profiler-nodejs API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(main): release 6.0.2 googleapis/cloud-profiler-nodejs
4 participants
@aabmass @klon @dashpole @EvgeniyS-Planhat