@google-cloud/pubsub@2.5.0 includes dependencies with security vulnerabilities #1121
Comments
product-auto-label
bot
added
the
api: pubsub
meredithslota
added
priority: p1
yoshi-automation
added
🚨
|
The json-bigint module dependency also needs to be upgraded to 1.0.0 remediate a security issue. Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution via the parse function. |
|
Thanks for the notes, everyone. I'll get that PR looked at and see if I can throw in a quick fix for the json-bigint entry as well. I'm also having a conversation with others on the team to see if there's a way we can improve the transitive dependency issue on things like the auth library. |
|
Ahh thanks, GitHub :P I need to reopen this for the second package above. |
|
I'll need to do another PR for this library once that one is updated. I was asked to pass along that our general intent with transitive dependencies is basically:
(Of course if you really do need to lock versions, you can also manually bump the version of a dependency from your project.) In other words, because of the depth and complexity of the average Node package's package graph, it's not generally practical for us to maintain minimum versions upstream for every fix, so the recommended thing is just to refresh your versions once in a while to make sure you have compatible fixes. |
feywind
added
priority: p2
|
Oh, GitHub. :sigh: |
|
Thanks for the fix. Do you know the date when the new official version will be available with the vulnerability fixes? |
|
@csombok It should be up already, actually - 2.6.0. |
node-forge v0.9.1 was recently identified with high severity vulnerability CVE-2020-7720 [1]. The issue has been solved in v0.10.0
[1] https://www.npmjs.com/advisories/1561
The text was updated successfully, but these errors were encountered: