Link to vulnerability report: GHSA-h755-8qp9-cq85
@google-cloud/profiler uses pprof 3.2.0, which in turn uses protobufjs ~7.0.0
The vulnerability has been patched in protobufjs 7.2.4, but pprof still needs to be patched to use the newer version
There's an issue here to track the protobufjs upgrade within pprof: google/pprof-nodejs#256
The pprof version used by @google-cloud/profiler locked to 3.2.0, so it'll need to be bumped when the protobufjs dependency is upgraded
Environment details
- OS: any
- Node.js version: any
- npm version:
@google-cloud/profiler version: 5.0.4
Steps to reproduce
- Install
@google-cloud/profiler
- Notice the security vulnerability alert
Link to vulnerability report: GHSA-h755-8qp9-cq85
@google-cloud/profilerusespprof3.2.0, which in turn usesprotobufjs~7.0.0The vulnerability has been patched in
protobufjs7.2.4, butpprofstill needs to be patched to use the newer versionThere's an issue here to track the
protobufjsupgrade withinpprof: google/pprof-nodejs#256The
pprofversion used by@google-cloud/profilerlocked to 3.2.0, so it'll need to be bumped when theprotobufjsdependency is upgradedEnvironment details
@google-cloud/profilerversion: 5.0.4Steps to reproduce
@google-cloud/profiler