Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 #85

Merged
merged 4 commits into from
Jun 9, 2022

Conversation

alanlvle
Copy link
Contributor

@alanlvle alanlvle commented Jun 9, 2022

@wu-sheng
Copy link
Member

wu-sheng commented Jun 9, 2022

What is this version bump up about?

@alanlvle
Copy link
Contributor Author

alanlvle commented Jun 9, 2022

Our international business monitoring uses skywalking-nodejs, the security scanning tool aquasec reports high-risk vulnerabilities, and dependencies need to be upgraded.

@wu-sheng
Copy link
Member

wu-sheng commented Jun 9, 2022

Two things

  1. Update this file according to your version bump up, https://github.com/apache/skywalking-nodejs/blob/master/dist/LICENSE#L218
  2. Please make the title and description clear in the PR about which CVEs(IDs) you are going to fix.

@wu-sheng wu-sheng added the dependencies Keep tracking dependencies version, CVE, etc. label Jun 9, 2022
@wu-sheng wu-sheng changed the title fix protobufjs Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 Jun 9, 2022
@wu-sheng wu-sheng requested a review from kezhenxu94 June 9, 2022 06:58
@wu-sheng wu-sheng added this to the 0.5.0 milestone Jun 9, 2022
Copy link
Member

@kezhenxu94 kezhenxu94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run npm i && npm run build, and then include the package-lock.json into the codebase

@alanlvle
Copy link
Contributor Author

alanlvle commented Jun 9, 2022

ok

"resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.6.7.tgz",
"integrity": "sha512-QzTPIyJxU0u+r2qGe8VMl3j/W2ryhEvBv7hc42OjYfthSj370fUrb7na65rG6w3YLZS/fb8p89iTBobfWGDgdw==",
"version": "0.6.13",
"resolved": "https://npm.zatech.online/@grpc%2fproto-loader/-/proto-loader-0.6.13.tgz",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you set a proxy? This should be changed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK,I update it

@wu-sheng wu-sheng requested a review from kezhenxu94 June 9, 2022 08:48
@kezhenxu94 kezhenxu94 merged commit 5fc4f2e into apache:master Jun 9, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
dependencies Keep tracking dependencies version, CVE, etc.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants