Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Second protobufjs CVE requiring a major version upgrade #311

Closed
catmeme opened this issue Jul 19, 2023 · 2 comments · Fixed by #313
Closed

Second protobufjs CVE requiring a major version upgrade #311

catmeme opened this issue Jul 19, 2023 · 2 comments · Fixed by #313
Assignees
@justinvp
Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Milestone
0.92

Comments

@catmeme
Copy link

catmeme commented Jul 19, 2023

What happened?

When installing this package, you are warned of high severity CVEs.

CVE-2022-25878 was addressed, GHSA-g954-5hwp-pp24

CVE-2023-36665 was not, GHSA-h755-8qp9-cq85

protobufjs/protobuf.js#1741

https://github.com/pulumi/pulumi-policy/blob/master/sdk/nodejs/policy/package.json#L16

Expected Behavior

Witness no CVEs warnings when installing the package.

Steps to reproduce

npm i @pulumi/policy

Output of pulumi about

CLI          
Version      3.75.0
Go Version   go1.20.6
Go Compiler  gc

Additional context

Downgrading to 6.9.0 might also fix it.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@catmeme catmeme added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jul 19, 2023
@catmeme
Copy link
Author

catmeme commented Jul 24, 2023
edited
Loading

Personally I went with this as a solution in the short-term, but I would expect Pulumi to address this by sorting through the upgrading of the package.

Add to package.json:

  "overrides": {
    "protobufjs": "~6.9.0"
  }

@justinvp justinvp added impact/security and removed needs-triage Needs attention from the triage team labels Jul 24, 2023
@justinvp justinvp self-assigned this Jul 24, 2023
@justinvp justinvp added this to the 0.92 milestone Jul 24, 2023
@justinvp justinvp mentioned this issue Jul 24, 2023
Merged
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Jul 24, 2023
@justinvp
Copy link
Member

Thanks for opening the issue and letting us know, @catmeme! This has been fixed by bumping the major version in #313 and released as @pulumi/policy 1.7.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justinvp justinvp

Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
0.92
Development

Successfully merging a pull request may close this issue.

Bump the version of protobufjs, resolve CVE-2023-36665 pulumi/pulumi-policy
3 participants
@justinvp @catmeme @pulumi-bot