fix(security): Bump dep to eliminate ProtobufJS security vulnerability #18917
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
This PR includes a manual bump of a transitive dependency which should fix a high security vulnerability reported in the repo.
Interestingly, Dependabot wasn't able to update it, and various combinations of commands in yarn weren't locally either. (for maintainers -> https://github.com/backstage/backstage/security/dependabot/245 )
Related: #18744 (but not a direct fix for)
I ended up just removing the
proto3-json-serializer@1.0.0
reference from the Yarn.lock, and ayarn install
reinstall found it was missing, and properly installed v1.1.1 (which was within Google GAX's semver compliance). This version has a transitive dependency on the actual vulnerable ProtobufJS package, with the upgrade eliminating ProtobufJS v6 and bumping it to v7, which is the version which patches the CVE. (fixed in proto3-json-serializer v1.0.3: https://github.com/googleapis/proto3-json-serializer-nodejs/releases/tag/v1.0.3 )I ran tests locally against the Backend Auth plugin which included these transitive references for Google usage and all looks good so far. The change itself is actually within semver compliance all through, so should be good!
✔️ Checklist
Signed-off-by
line in the message. (more info)