googleapis
Vulnerability in a sub-dependency (form-data) in @google-cloud/[email protected]
@google-cloud/[email protected] package includes a dependency [email protected]
The package is labeled as a vulnerability. See more information here: GHSA-fjxv-7rqg-78g4. Could you make the necessary changes?
Agree. This would be awesome to update the version. Looks like another update was merged today too https://github.com/googleapis/nodejs-storage/commit/288e81ebb06118699ed1b7c5164ba0cad096023d
It looks like there's an action to trigger an actual release? cc @ddelgrosso1
https://github.com/googleapis/nodejs-storage/pull/2589
Hello team! We have a Vanta test due in 3 days for this one, any chances we get an update? 🙏🏻
I have seen the patched version from retry-request requires Node.js v18, which is mentioned at https://github.com/googleapis/nodejs-storage/pull/2621 but I can't find any estimate on when it will land. Thanks!
ah, I'm still seeing the vulnerability with the update today cc @ddelgrosso1:
├─┬ @google-cloud/[email protected]
│ └─┬ [email protected]
│ └─┬ @types/[email protected]
│ └── [email protected]
https://github.com/googleapis/nodejs-storage/commit/7bcb04f4ae51f01ba3bf7244c12a842c1953b804
created a pr for this @ddelgrosso1 @enzoferey @amplicity @hartikainen-ville https://github.com/googleapis/nodejs-storage/pull/2636
It is still relevant for version 7.18.0.
The retry-request package has been deprecated since July 2024.
https://github.com/googleapis/retry-request
Do you think it would make sense to remove it to address the Critical vulnerability in the form-data package?
Thank you in advance!
Not optimal but until this gets fixed as a workaround we override the form-data package. Seems safe since its only being used as a type in:
https://github.com/DefinitelyTyped/DefinitelyTyped/blob/11df58f3a74552eb67e5bf4358b93cead324a9de/types/request/index.d.ts#L10
"overrides": {
"@google-cloud/storage": {
"retry-request": {
"@types/request": {
"form-data": "2.5.5"
}
}
}
},
