New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilies in @apollo/protobufjs (dependency of apollo-reporting-protobuf) #6835
Comments
I doubt any of these are real problems affecting our users — you don't even run the CLI on your machine, just we do. Would your scanner be happier if we just added |
Yes @glasser, I think that would be enough for us 👏 |
This would be beneficial for us as we are getting those vulnerabilities warnings. |
Hmm. I added a |
Maybe you need to remove them from the files in the package.json. I believe that any file explicitly specified there will be published. |
Heh, that seems right! |
Looks like this will be fixed by #6967 which will go into Apollo Server v4 (currently in release candidate, should be released in a week or two) |
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to version-4, this PR will be updated.⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ `version-4` is currently in **pre mode** so this branch has prereleases rather than normal releases. If you want to exit prereleases, run `changeset pre exit` on `version-4`.⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ # Releases ## @apollo/server-integration-testsuite@4.0.0-rc.15 ### Patch Changes - Updated dependencies \[[`d20842824`](d208428), [`e1455d583`](e1455d5)]: - @apollo/usage-reporting-protobuf@4.0.0-rc.2 - @apollo/server@4.0.0-rc.15 ## @apollo/server@4.0.0-rc.15 ### Patch Changes - [#6897](#6897) [`e1455d583`](e1455d5) Thanks [@bonnici](https://github.com/bonnici)! - Usage reporting: always send traces over 10MB as stats. - Updated dependencies \[[`d20842824`](d208428)]: - @apollo/usage-reporting-protobuf@4.0.0-rc.2 ## @apollo/usage-reporting-protobuf@4.0.0-rc.2 ### Patch Changes - [#6967](#6967) [`d20842824`](d208428) Thanks [@renovate](https://github.com/apps/renovate)! - Update `@apollo/protobufjs` dependency to avoid false positives in vulnerability scans (<#6835>) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Nice! Thank you @glasser |
Hello, reporting here some security issues that we are receiving in the aws inspector.
The last version (1.2.4) of the @apollo/protobufjs fork has a lot of vulnerabilities in its cli package-lock.json.
This
package-lock.json
is distributed with the package, so we get all the security warnings when the inspector scans the file.Hoisted from
apollo-server-core#apollo-reporting-protobuf#@apollo#protobufjs
All these vulnerabilities have been fixed in the original protobufjs repository, but the fork is not keeping in sync.
Related vulnerabilities:
CVE-2021-44906
IN1-JS-LODASH-1040724
CVE-2022-21680
CVE-2021-23358
The text was updated successfully, but these errors were encountered: