Fix Dependabot Vulnerability

[Kalaiselvi84]

What type of PR is this?

Uncomment only one /kind <> line, press enter to put that in a new line, and remove leading whitespace from that line:

/kind breaking
/kind bug

/kind cleanup

/kind documentation
/kind feature
/kind hotfix
/kind release

What this PR does / Why we need it:

Which issue(s) this PR fixes:

Closes #

Special notes for your reviewer:

[agones-bot]

Build Failed 😱

Build Id: 1a87049f-5c02-4d88-a139-12afe1862660

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[markmandel]

Found this error:

npm WARN tarball tarball data for protobufjs@https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz (sha512-4ZPTPkXCdel3+L81yw3dG6+Kq3umdWKh7Dc7GW/CpNk4SX3hK58iPCWeCyhVTDrbkNeKrYNZ7EojM5WDaEWTLQ==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for protobufjs@https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz (sha512-4ZPTPkXCdel3+L81yw3dG6+Kq3umdWKh7Dc7GW/CpNk4SX3hK58iPCWeCyhVTDrbkNeKrYNZ7EojM5WDaEWTLQ==) seems to be corrupted. Trying again.
npm ERR! code EINTEGRITY
npm ERR! sha512-4ZPTPkXCdel3+L81yw3dG6+Kq3umdWKh7Dc7GW/CpNk4SX3hK58iPCWeCyhVTDrbkNeKrYNZ7EojM5WDaEWTLQ== integrity checksum failed when using sha512: wanted sha512-4ZPTPkXCdel3+L81yw3dG6+Kq3umdWKh7Dc7GW/CpNk4SX3hK58iPCWeCyhVTDrbkNeKrYNZ7EojM5WDaEWTLQ== but got sha512-AT+RJgD2sH8phPmCf7OUZR8xGdcJRga4+1cOaXJ64hvcSkVhNcRHOwIxUatPH15+nj59WAGTDv3LSGZPEQbJaQ==. (574857 bytes)

@steven-supersolid you are our resident NodeJS expect -- is this the right approach to fix this?

[steven-supersolid]

This looks like a transitive dependency so would just try npm audit fix which is what I assumed was done but actually probably not if the SHA was not changed - was this just a manual update to package-lock.json and that is why?

To update all dependencies we could try npm update which in most cases will work, but should be sure to run tests

We may also want to do a more drastic dependency update using npm outdated and then update package.json as well but this could require code changes

[steven-supersolid]

Revoking approval until we clarify how the file was modified and resolve the build issue

[Kalaiselvi84]

Revoking approval until we clarify how the file was modified and resolve the build issue

Initially, I tried with go get -u github.com/protobufjs/protobuf.js@latest. This command updated the go.mod and go.sum files with github.com/protobufjs/protobuf.js v6.11.3+incompatible. However, since the latest version of protobufjs is 7.2.4, I manually updated it.

[markmandel]

Revoking approval until we clarify how the file was modified and resolve the build issue

Initially, I tried with go get -u github.com/protobufjs/protobuf.js@latest. This command updated the go.mod and go.sum files with github.com/protobufjs/protobuf.js v6.11.3+incompatible. However, since the latest version of protobufjs is 7.2.4, I manually updated it.

Since this is a nodejs issue, Go tooling will not work here unfortunately.

If you want a quick node shell with npm tooling - make sdk-shell-node will give you one inside the SDK's build image.

[steven-supersolid]

This file may have been inadvertently added e.g. by running an npm command in the root directory of the project

[Kalaiselvi84]

After running npm update, the agones/package-lock.json file was generated, thought it was required but I have now deleted it. Thanks!

[agones-bot]

Build Succeeded 👏

Build Id: 56761bab-6f19-4443-8ae2-7b39d28a3503

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.34.0-dev-803f953-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.34.0-dev-803f953-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.34.0-dev-803f953-linux-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.34.0-dev-803f953-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.34.0-dev-803f953-amd64
• Linux C++ SDK (build): agonessdk-1.34.0-dev-803f953-amd64-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.34.0-dev-803f953-amd64.zip

A preview of the website (the last 30 builds are retained):

• https://803f953-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/3269/head:pr_3269 && git checkout pr_3269
• helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.34.0-dev-803f953-amd64

[markmandel]

Yay passing. I think this should be better now?

Thanks @steven-supersolid for the review!

[steven-supersolid]

LGTM!

[agones-bot]

Build Succeeded 👏

Build Id: 70807425-e9ed-41a9-ae62-5dddd9f59e94

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.34.0-dev-3c360cd-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.34.0-dev-3c360cd-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.34.0-dev-3c360cd-linux-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.34.0-dev-3c360cd-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.34.0-dev-3c360cd-amd64
• Linux C++ SDK (build): agonessdk-1.34.0-dev-3c360cd-amd64-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.34.0-dev-3c360cd-amd64.zip

A preview of the website (the last 30 builds are retained):

• https://3c360cd-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/3269/head:pr_3269 && git checkout pr_3269
• helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.34.0-dev-3c360cd-amd64

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kalaiselvi84, markmandel, steven-supersolid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• sdks/nodejs/OWNERS [markmandel,steven-supersolid]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[google-oss-prow]

New changes are detected. LGTM label has been removed.

[agones-bot]

Build Succeeded 👏

Build Id: 2ce212e0-a126-4afd-9084-64a3fb09290d

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.34.0-dev-ea1b06c-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.34.0-dev-ea1b06c-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.34.0-dev-ea1b06c-linux-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.34.0-dev-ea1b06c-amd64
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.34.0-dev-ea1b06c-amd64
• Linux C++ SDK (build): agonessdk-1.34.0-dev-ea1b06c-amd64-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.34.0-dev-ea1b06c-amd64.zip

A preview of the website (the last 30 builds are retained):

• https://ea1b06c-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/3269/head:pr_3269 && git checkout pr_3269
• helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.34.0-dev-ea1b06c-amd64