ReDoS Vulnerability due to protobufjs

[SpiralOutDotEu]

ReDoS Vulnerability to protobufjs@6.8.5.
Update to protobufjs@6.8.6 is required. See relative commit and protobufjs 6.8.6 release notes

[PatSmuk360]

grpc-native-core still seems to be using protobufjs@5

[nicolasnoble]

We can't update to protobufjs6 without doing major damage to our dependents. However, we made a backport of the fix to protobufjs5 (see protobufjs/protobuf.js#1030), and we are now waiting for @dcodeIO to make a protobufjs5 release with this fix in.

[murgatroid99]

Reopening until that fix is published.

[dcodeIO]

FYI: Thanks for reminding me, just published 5.0.3. Btw:

We can't update to protobufjs6 without doing major damage to our dependents.

This is also true the other way around I'm afraid. On my end I saw significant friction encountered by users trying to use grpc with latest protobuf.js.

[nicolasnoble]

@dcodeIO thanks!

As for friction, we've published a separate, new package designed specifically to alleviate upgrade issues with protobufjs in the future. Hopefully this will help.

[nicolasnoble]

The gRPC 1.12.1 release finally got out, and it is now pinning on 5.0.3 that no longer has that vulnerability - not that it was very important anyway, unless you are doing something really wonky like parsing user-provided .proto files instead of using the json representation, but in all cases, it's all good now.

At the time of writing this, both nodesecurity and skyx still have outdated information on the status of this problem, and we'll keep trying to get them to amend their databases.

[nicolasnoble]

As a quick update: both nodesecurity and skyx now have proper information about the security fix that happened in protobufjs 5.0.3.