Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix protobufjs security vulnerability CVE-2023-36665 #99

Merged
merged 1 commit into from
Jul 14, 2023
Merged

Fix protobufjs security vulnerability CVE-2023-36665 #99

merged 1 commit into from
Jul 14, 2023

Conversation

ljht
Copy link
Contributor

@ljht ljht commented Jul 10, 2023

Upgrade protobufjs to latest version in order to address vulnerability Add new package protobufjs-cli, since it was a breaking change from moving from v6 to v7 in protobufjs

@ljht ljht requested review from a team as code owners July 10, 2023 16:46
@ljht
Copy link
Contributor Author

ljht commented Jul 10, 2023

This is a duplicate of #98 , just added the new package dependency protobufjs-cli and commit the output of
npm run genprotobuf

@seemk
Copy link
Contributor

seemk commented Jul 14, 2023

Thanks! But I think the updated package-lock.json contains private artifactory URLs, can you double check this?

@ljht
Copy link
Contributor Author

ljht commented Jul 14, 2023

Sorry for that, package-lock.json updated to remove reference to private artifactory

@seemk
Copy link
Contributor

seemk commented Jul 14, 2023

Just noticed the commits need to be signed, I can't merge otherwise :(

@ljht
Copy link
Contributor Author

ljht commented Jul 14, 2023

learn something new today, I force push a single commit that is signed

@seemk
Copy link
Contributor

seemk commented Jul 14, 2023

The email in this signature doesn’t match the committer email.

At the moment it's showing me The email in this signature doesn’t match the committer email. and merge button is greyed out :D

@ljht
Fix protobufjs security vulnerability CVE-2023-36665
bbdbef9 
Upgrade protobufjs to latest version in order to address vulnerability
Add new package protobufjs-cli, since it was a breaking change from
moving from v6 to v7 in protobufjs
@ljht
Copy link
Contributor Author

ljht commented Jul 14, 2023

Finally go it right

@seemk seemk merged commit 253a6f3 into signalfx:main Jul 14, 2023
@seemk
Copy link
Contributor

seemk commented Jul 14, 2023

Thanks!

@ljht ljht deleted the protobuf branch July 14, 2023 14:57
@rushabh-wadkar
Copy link

@seemk Any deadline when this will release ?
We use signalfx version ^7.4.0, will this version upgrade for protobufjs apply to those versions too ?

@kumarrishav
Copy link

yeah. good to backport this fix in v7 as well

@rushabh-wadkar
Copy link

@seemk Any update please ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seemk seemk seemk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ljht @seemk @rushabh-wadkar @kumarrishav