Vulnerabilies in @apollo/protobufjs (dependency of apollo-reporting-protobuf) #6835
Comments
|
I doubt any of these are real problems affecting our users — you don't even run the CLI on your machine, just we do. Would your scanner be happier if we just added |
|
Yes @glasser, I think that would be enough for us 👏 |
|
This would be beneficial for us as we are getting those vulnerabilities warnings. |
|
Hmm. I added a |
|
Maybe you need to remove them from the files in the package.json. I believe that any file explicitly specified there will be published. |
|
Heh, that seems right! |
|
Looks like this will be fixed by #6967 which will go into Apollo Server v4 (currently in release candidate, should be released in a week or two) |
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to version-4, this PR will be updated.⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ `version-4` is currently in **pre mode** so this branch has prereleases rather than normal releases. If you want to exit prereleases, run `changeset pre exit` on `version-4`.⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ # Releases ## @apollo/server-integration-testsuite@4.0.0-rc.15 ### Patch Changes - Updated dependencies \[[`d20842824`](d208428), [`e1455d583`](e1455d5)]: - @apollo/usage-reporting-protobuf@4.0.0-rc.2 - @apollo/server@4.0.0-rc.15 ## @apollo/server@4.0.0-rc.15 ### Patch Changes - [#6897](#6897) [`e1455d583`](e1455d5) Thanks [@bonnici](https://github.com/bonnici)! - Usage reporting: always send traces over 10MB as stats. - Updated dependencies \[[`d20842824`](d208428)]: - @apollo/usage-reporting-protobuf@4.0.0-rc.2 ## @apollo/usage-reporting-protobuf@4.0.0-rc.2 ### Patch Changes - [#6967](#6967) [`d20842824`](d208428) Thanks [@renovate](https://github.com/apps/renovate)! - Update `@apollo/protobufjs` dependency to avoid false positives in vulnerability scans (<#6835>) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
Nice! Thank you @glasser |
Hello, reporting here some security issues that we are receiving in the aws inspector.
The last version (1.2.4) of the @apollo/protobufjs fork has a lot of vulnerabilities in its cli package-lock.json.
This
package-lock.jsonis distributed with the package, so we get all the security warnings when the inspector scans the file.Hoisted from
apollo-server-core#apollo-reporting-protobuf#@apollo#protobufjsAll these vulnerabilities have been fixed in the original protobufjs repository, but the fork is not keeping in sync.
Related vulnerabilities:
CVE-2021-44906
IN1-JS-LODASH-1040724
CVE-2022-21680
CVE-2021-23358
The text was updated successfully, but these errors were encountered: