Skip to content

DELO-6281: fix dependency security vulnerabilities#232

Open
ikrascloudinary wants to merge 1 commit into
masterfrom
DELO-6281/security-fixes
Open

DELO-6281: fix dependency security vulnerabilities#232
ikrascloudinary wants to merge 1 commit into
masterfrom
DELO-6281/security-fixes

Conversation

@ikrascloudinary

Copy link
Copy Markdown
Contributor

Summary

Vulnerabilities resolved

Dependencies updated

  • None directly. protobufjs is a deep transitive dep: @opentelemetry/sdk-node@opentelemetry/exporter-logs-otlp-grpc@grpc/grpc-js@grpc/proto-loaderprotobufjs.

Resolutions

  • protobufjs: ^7.6.5 — pins the transitive copy to the highest 7.x (≥ 7.6.2 required). Staying within ^7 keeps compatibility with @grpc/proto-loader's protobufjs@^7.5.5 peer range; 8.x would cross a major boundary. Fixes DELO-6281.

Package version

  • 1.3.121.3.13 (PATCH — security-only fix)

Test results

  • npm test passed — 13 passing, no hard crashes or module errors.
  • OpenTelemetry boot path smoke-tested OK (node --require ./instrumentation.js), since protobufjs feeds the OTLP gRPC exporter.

Test plan

  • npm test passes
  • App boots cleanly: node --require ./instrumentation.js start.js (Prometheus exporter on :6060)

Pin protobufjs to ^7.6.5 (>= 7.6.2) to resolve arbitrary code
injection via pbjs static code generation (SNYK-JS-PROTOBUFJS-17362837,
GHSA-pr59-h9ph-3fr8). Transitive dep via @opentelemetry/sdk-node ->
@grpc/grpc-js -> @grpc/proto-loader.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant