Skip to content
This repository has been archived by the owner on Oct 3, 2023. It is now read-only.

chore(deps): update dependency protobufjs to v7 [security] #1106

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 8, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobufjs (source) 6.11.3 -> 7.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.


Release Notes

protobufjs/protobuf.js (protobufjs)

v7.2.4

Compare Source

Bug Fixes

v7.2.3

Compare Source

Bug Fixes

v7.2.2

Compare Source

Bug Fixes
  • do not allow to extend same field twice to prevent the error (#​1784) (14f0536)

v7.2.1

Compare Source

Bug Fixes

v7.2.0

Compare Source

Features
  • cli: generate static files at the granularity of proto messages (#​1840) (32f2d6a)
Bug Fixes

v7.1.2

Compare Source

Bug Fixes

v7.1.1

Compare Source

Bug Fixes

v7.1.0

Compare Source

Features
Bug Fixes

v7.0.0

Compare Source

⚠ BREAKING CHANGES
  • drop support for Node 4, 6, 8, 10 (#​1764)
  • move command line tool to a new package named protobufjs-cli (#​1234)
  • encoding of empty Buffers (#​1514)
Features
Bug Fixes
6.10.2 (2020-11-13)
Bug Fixes
6.10.1 (2020-07-16)
Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@codecov-commenter
Copy link

codecov-commenter commented Jul 8, 2023

Codecov Report

Merging #1106 (69bc42c) into master (d46c889) will increase coverage by 0.04%.
The diff coverage is n/a.

❗ Current head 69bc42c differs from pull request most recent head 6404c5d. Consider uploading reports for the commit 6404c5d to get more accurate results

@@            Coverage Diff             @@
##           master    #1106      +/-   ##
==========================================
+ Coverage   95.56%   95.60%   +0.04%     
==========================================
  Files         153      153              
  Lines       10924    10924              
  Branches     1042     1042              
==========================================
+ Hits        10439    10444       +5     
+ Misses        485      480       -5     

see 2 files with indirect coverage changes

@aabmass
Copy link
Member

aabmass commented Jul 18, 2023

This is only in a dev dependency and does not affect the published NPM packages.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants