Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 #85

Merged
merged 4 commits into from Jun 9, 2022
Merged

Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 #85

merged 4 commits into from Jun 9, 2022

Conversation

alanlvle
Copy link
Contributor

@alanlvle alanlvle commented Jun 9, 2022

@wu-sheng
Copy link
Member

wu-sheng commented Jun 9, 2022

What is this version bump up about?

@alanlvle
Copy link
Contributor Author

alanlvle commented Jun 9, 2022

Our international business monitoring uses skywalking-nodejs, the security scanning tool aquasec reports high-risk vulnerabilities, and dependencies need to be upgraded.

@wu-sheng
Copy link
Member

wu-sheng commented Jun 9, 2022

Two things

  1. Update this file according to your version bump up, https://github.com/apache/skywalking-nodejs/blob/master/dist/LICENSE#L218
  2. Please make the title and description clear in the PR about which CVEs(IDs) you are going to fix.

@wu-sheng wu-sheng added the dependencies Keep tracking dependencies version, CVE, etc. label Jun 9, 2022
@wu-sheng wu-sheng changed the title fix protobufjs Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 Jun 9, 2022
@wu-sheng wu-sheng requested a review from kezhenxu94 June 9, 2022 06:58
@wu-sheng wu-sheng added this to the 0.5.0 milestone Jun 9, 2022
kezhenxu94
kezhenxu94 requested changes Jun 9, 2022
View reviewed changes
Copy link
Member

@kezhenxu94 kezhenxu94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run npm i && npm run build, and then include the package-lock.json into the codebase

@alanlvle
Copy link
Contributor Author

alanlvle commented Jun 9, 2022

ok

wu-sheng
wu-sheng reviewed Jun 9, 2022
View reviewed changes
package-lock.json Outdated
"resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.6.7.tgz",
"integrity": "sha512-QzTPIyJxU0u+r2qGe8VMl3j/W2ryhEvBv7hc42OjYfthSj370fUrb7na65rG6w3YLZS/fb8p89iTBobfWGDgdw==",
"version": "0.6.13",
"resolved": "https://npm.zatech.online/@grpc%2fproto-loader/-/proto-loader-0.6.13.tgz",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you set a proxy? This should be changed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK,I update it

@wu-sheng wu-sheng requested a review from kezhenxu94 June 9, 2022 08:48
@kezhenxu94 kezhenxu94 merged commit 5fc4f2e into apache:master Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wu-sheng wu-sheng wu-sheng left review comments

@kezhenxu94 kezhenxu94 kezhenxu94 approved these changes

Assignees
No one assigned
Labels
dependencies Keep tracking dependencies version, CVE, etc.
Projects
None yet
Milestone
0.5.0
3 participants
@alanlvle @wu-sheng @kezhenxu94