Skip to content
This repository was archived by the owner on Nov 18, 2025. It is now read-only.

chore(deps): proto-loader to 0.7.13#1611

Merged
leahecole merged 2 commits intogoogleapis:mainfrom
AlvesJorge:update-proto_loader
Jun 5, 2024
Merged

chore(deps): proto-loader to 0.7.13#1611
leahecole merged 2 commits intogoogleapis:mainfrom
AlvesJorge:update-proto_loader

Conversation

@AlvesJorge
Copy link
Copy Markdown
Contributor

@AlvesJorge AlvesJorge commented Jun 3, 2024

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

While protobufjs itself was updated to avoid the issue in >7.2.6 , proto-loader was not, which itself requires a version of protobufjs with the vulnerability still present.

This PR aims to fix that by upgrading proto-loader to latest where the requirement for the vulnerable version of protobufjs has been updated.
Ideally renovate-bot would have done this by itself, but I couldn't find a PR for it.

Fixes googleapis/google-cloud-node-core#216 🦕

@AlvesJorge AlvesJorge requested review from a team June 3, 2024 16:17
@google-cla
Copy link
Copy Markdown

google-cla Bot commented Jun 3, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@conventional-commit-lint-gcf
Copy link
Copy Markdown

conventional-commit-lint-gcf Bot commented Jun 3, 2024
edited
Loading

🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use automerge label. Good luck human!

-- conventional-commit-lint bot
https://conventionalcommits.org/

@product-auto-label product-auto-label Bot added the size: xs Pull request size is extra small. label Jun 3, 2024
@AlvesJorge AlvesJorge changed the title fix: update proto-loader to 0.7.13 Update proto-loader to 0.7.13 Jun 3, 2024
@AlvesJorge AlvesJorge changed the title Update proto-loader to 0.7.13 chore: proto-loader to 0.7.13 Jun 3, 2024
@AlvesJorge AlvesJorge changed the title chore: proto-loader to 0.7.13 chore(deps): proto-loader to 0.7.13 Jun 4, 2024
@leahecole leahecole added the kokoro:run Add this label to force Kokoro to re-run the tests. label Jun 4, 2024
@yoshi-kokoro yoshi-kokoro removed the kokoro:run Add this label to force Kokoro to re-run the tests. label Jun 4, 2024
@leahecole leahecole added the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 5, 2024
@gcf-owl-bot gcf-owl-bot Bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 5, 2024
@leahecole leahecole merged commit d3e3bf9 into googleapis:main Jun 5, 2024
@AlvesJorge AlvesJorge deleted the update-proto_loader branch June 6, 2024 06:22
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@leahecole leahecole leahecole approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size: xs Pull request size is extra small.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4

3 participants

@AlvesJorge @leahecole @yoshi-kokoro