Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 #85

Merged
merged 4 commits into from
Jun 9, 2022

Conversation

alanlvle
Copy link
Contributor

@alanlvle alanlvle commented Jun 9, 2022

@wu-sheng
Copy link
Member

wu-sheng commented Jun 9, 2022

What is this version bump up about?

@alanlvle
Copy link
Contributor Author

alanlvle commented Jun 9, 2022

Our international business monitoring uses skywalking-nodejs, the security scanning tool aquasec reports high-risk vulnerabilities, and dependencies need to be upgraded.

@wu-sheng
Copy link
Member

wu-sheng commented Jun 9, 2022

Two things

  1. Update this file according to your version bump up, https://github.com/apache/skywalking-nodejs/blob/master/dist/LICENSE#L218
  2. Please make the title and description clear in the PR about which CVEs(IDs) you are going to fix.

@wu-sheng wu-sheng added the dependencies Keep tracking dependencies version, CVE, etc. label Jun 9, 2022
@wu-sheng wu-sheng changed the title fix protobufjs Bump up grpc-node to 1.6.7 to fix CVE-2022-25878 Jun 9, 2022
@wu-sheng wu-sheng requested a review from kezhenxu94 June 9, 2022 06:58
@wu-sheng wu-sheng added this to the 0.5.0 milestone Jun 9, 2022
Copy link
Member

@kezhenxu94 kezhenxu94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run npm i && npm run build, and then include the package-lock.json into the codebase

@alanlvle
Copy link
Contributor Author

alanlvle commented Jun 9, 2022

ok

"resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.6.7.tgz",
"integrity": "sha512-QzTPIyJxU0u+r2qGe8VMl3j/W2ryhEvBv7hc42OjYfthSj370fUrb7na65rG6w3YLZS/fb8p89iTBobfWGDgdw==",
"version": "0.6.13",
"resolved": "https://npm.zatech.online/@grpc%2fproto-loader/-/proto-loader-0.6.13.tgz",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you set a proxy? This should be changed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK,I update it

@wu-sheng wu-sheng requested a review from kezhenxu94 June 9, 2022 08:48
@kezhenxu94 kezhenxu94 merged commit 5fc4f2e into apache:master Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Keep tracking dependencies version, CVE, etc.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants