Skip to content
This repository was archived by the owner on Feb 20, 2026. It is now read-only.
This repository was archived by the owner on Feb 20, 2026. It is now read-only.

Installing this lib brings in a critical vulnerability from @google-cloud/logging-min -> google-gax -> protobuf.js #937

Closed
#929
Closed
Installing this lib brings in a critical vulnerability from @google-cloud/logging-min -> google-gax -> protobuf.js#937
#929
Assignees
aabmass
Labels
api: cloudprofilerIssues related to the googleapis/cloud-profiler-nodejs API.priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@klon

Description

@klon
klon
opened on Aug 19, 2024

It seems this library is relying on @google-cloud/logging-min that in turn relies on an unpatched version of
google-gax that has the googleapis/google-cloud-node-core#216 not fixed. npm audit fix doesn't work to resolve it.

The root cause is a critical vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36665 which I am sure is not really a problem here but it makes every vulnerability scanner scream.

This prevents us from using this library.

Environment details

  • OS: macOS
  • Node.js version: v20.12.0
  • npm version: 10.5.0
  • @google-cloud/profiler version: 6.0.1

Steps to reproduce

  1. npm install @google-cloud/profiler
  2. npm audit
  3. npm audit fix

Metadata

Metadata

Assignees

Labels

api: cloudprofilerIssues related to the googleapis/cloud-profiler-nodejs API.priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions