fix(deps): update dependency protobufjs to ~7.2.0 [security] #254

renovate-bot · 2023-07-08T00:06:45Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobufjs (source)	`~7.0.0` -> `~7.2.0`

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

Release Notes

protobufjs/protobuf.js (protobufjs)

`v7.2.4`

Compare Source

Bug Fixes

do not let setProperty change the prototype (#1899) (e66379f)

`v7.2.3`

Compare Source

Bug Fixes

type names can be split into multiple tokens (#1877) (8817ee6)

`v7.2.2`

Compare Source

Bug Fixes

do not allow to extend same field twice to prevent the error (#1784) (14f0536)

`v7.2.1`

Compare Source

Bug Fixes

cli: fix relative path to Google pb files (#1859) (e42eea4)
Revert "fix: error should be thrown" (4489fa7)
use bundled filename to fix common pb includes (#1860) (dce9a2e)
use ES5 style function syntax (#1830) (64e8936)

`v7.2.0`

Compare Source

Features

cli: generate static files at the granularity of proto messages (#1840) (32f2d6a)

Bug Fixes

error should be thrown (#1817) (e7a3489)

`v7.1.2`

Compare Source

Bug Fixes

types: nested object can be a oneof (#1812) (119d90a)

`v7.1.1`

Compare Source

Bug Fixes

add import long to the generated .d.ts (#1802) (7c27b5a)
generate valid js code for aliased enum values (#1801) (7120e93)

`v7.1.0`

Compare Source

Features

accept unknown enum values in fromObject (#1793) (ef24ae4)
valuesOptions for enums (#1358) (bb6b1d4)

Bug Fixes

deps: update dependency glob to v8 (#1750) (8303a64)
extensions broke oneof (#1789) (d7f501c)
remove unused @types/long (#1785) (0f4af83)
support for nested messages and enums within group blocks (#1790) (f36d4e4)
types: update type deps (#1776) (d87978b)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

aabmass · 2023-07-18T21:25:49Z

It looks like the protobuf type definitions just need to be regenerated

codecov-commenter · 2023-07-20T03:52:11Z

Codecov Report

Merging #254 (48b413b) into main (b945686) will decrease coverage by 0.27%.
The diff coverage is 48.14%.

@@            Coverage Diff             @@
##             main     #254      +/-   ##
==========================================
- Coverage   42.21%   41.94%   -0.27%     
==========================================
  Files          14       14              
  Lines        2061     2093      +32     
  Branches       42       42              
==========================================
+ Hits          870      878       +8     
- Misses       1173     1197      +24     
  Partials       18       18

Impacted Files	Coverage Δ
proto/profile.js	`23.55% <48.14%> (+0.03%)`	⬆️

…lock.json

forking-renovate · 2023-07-20T04:43:32Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

package.json

) * fix(deps): update dependency protobufjs to ~7.2.0 [security] * Pull in protobufjs-cli tools (pbjs and pbts) and regen proto stubs * Explicitly upgrade protobufjs past vulnerability, regenerate package-lock.json --------- Co-authored-by: Aaron Abbott <aaronabbott@google.com>

* chore(deps): update golang docker tag to v1.17 (#182) * test: change base Debian image from Debian 9 to Debian 11 to include a supported Python3 version for node-gyp (#187) * fix(deps): update dependency protobufjs to ~7.2.0 [security] (#254) * fix(deps): update dependency protobufjs to ~7.2.0 [security] * Pull in protobufjs-cli tools (pbjs and pbts) and regen proto stubs * Explicitly upgrade protobufjs past vulnerability, regenerate package-lock.json --------- Co-authored-by: Aaron Abbott <aaronabbott@google.com> * Update package-lock so there are no prod vulnerabilities * chore(deps): update dependency sinon to v15 (#237) * npm run fix with new package-lock.json * chore: remove testing in windows from workflow (#202) * Fix system test to use older npm for compat * test: bump debian version in system test (#251) * test: specify python3 when building docker image (#192) * Use alpine version with python < 3.11 --------- Co-authored-by: WhiteSource Renovate <bot@renovateapp.com> Co-authored-by: Garrett Wang <garrettwang@google.com> Co-authored-by: Amarin (Um) Phaosawasdi <amchiclet@users.noreply.github.com>

fix(deps): update dependency protobufjs to ~7.2.0 [security]

01eca84

This was referenced Jul 14, 2023

Sort out NPM dependencies grafana/pyroscope#2000

Closed

chore: fix protobufjs version grafana/pyroscope#2005

Merged

Pull in protobufjs-cli tools (pbjs and pbts) and regen proto stubs

48b413b

aabmass approved these changes Jul 20, 2023

View reviewed changes

aabmass linked an issue Jul 20, 2023 that may be closed by this pull request

CVE-2023-36665 vunerablity in protobufjs >= 6.10.0, < 7.2.4 #256

Closed

aabmass requested a review from psx95 July 20, 2023 04:00

Explicitly upgrade protobufjs past vulnerability, regenerate package-…

d542e91

…lock.json

aabmass self-requested a review July 20, 2023 04:03

aabmass force-pushed the renovate/npm-protobufjs-vulnerability branch from 48acf49 to d542e91 Compare July 20, 2023 04:03

aabmass added the kokoro:run label Jul 20, 2023

kokoro-team removed the kokoro:run label Jul 20, 2023

aabmass removed their request for review July 20, 2023 14:48

psx95 reviewed Jul 20, 2023

View reviewed changes

package.json Show resolved Hide resolved

psx95 approved these changes Jul 20, 2023

View reviewed changes

aabmass merged commit 787c526 into google:main Jul 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency protobufjs to ~7.2.0 [security] #254

fix(deps): update dependency protobufjs to ~7.2.0 [security] #254

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fix(deps): update dependency protobufjs to ~7.2.0 [security] #254

fix(deps): update dependency protobufjs to ~7.2.0 [security] #254

Uh oh!

Conversation

Uh oh!

GitHub Vulnerability Alerts

Release Notes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Configuration

Uh oh!

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Edited/Blocked Notification

Uh oh!

Uh oh!

Uh oh!