nodejs-datastore icon indicating copy to clipboard operation
nodejs-datastore copied to clipboard
verified publisher icon googleapis

version 10.0.1 depends on vulnerable protobufjs

Open slowtick opened this issue 6 months ago • 3 comments

Version 10.0.1 of @google-cloud/datastore library sets "protobufjs": "7.0.0" which has a critical vulnerability.

# npm audit report

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install @google-cloud/[email protected], which is a breaking change
node_modules/@google-cloud/datastore/node_modules/protobufjs
  @google-cloud/datastore  >=10.0.1
  Depends on vulnerable versions of protobufjs
  node_modules/@google-cloud/datastore

2 critical severity vulnerabilities

Overriding to "protobufjs": "^7.0.0" seem to bring in latest of protobufjs that mitigates the vulnerability & seem to work okay in our tests.

Can this dependency be updated and released?

slowtick avatar May 18 '25 14:05 slowtick

We are having same issue.

cebrix avatar May 27 '25 17:05 cebrix

@danieljbruce any chance this can be looked at? We have dependabot proposing to introduce critical vulnerabilities

cristianrgreco avatar Jun 02 '25 13:06 cristianrgreco

Same issue here. We'd rather not have to revert to a version using pre-node node 18.

pablocoberly avatar Jun 20 '25 09:06 pablocoberly

The strict "protobufjs": "7.0.0" version is inconsistent with dependency google-gax

google-gax 5.0.2-rc.1 depends on "protobufjs": "^7.5.0" Latest google-gax 5.0.1 depends on "protobufjs": "^7.5.3"

But it looks like protobufjs 7.5 isn't compatible at the moment (see #1400)

matt-blanchette avatar Aug 01 '25 04:08 matt-blanchette

Is PR to fix this (to switch to ^) welcome?

kirillgroshkov avatar Aug 04 '25 08:08 kirillgroshkov

This appears to have been fixed, but unfortunately, the change has not been released yet.

tbinna avatar Nov 03 '25 08:11 tbinna