-
Notifications
You must be signed in to change notification settings - Fork 346
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to protobufjs 7 #834
Comments
@dbrgn I'd love to see an upgrade to protobuf 7, but personally am more in "stewardship mode" for ts-proto that actively making changes; would be great if you wanted to take this on, and I'd be happy to help out on the PR. Can you tell how big of an upgrade it will be? Scanning the release notes, it doesn't seem too bad? |
Upping this. There have been recent security issues with |
Please update to protobufjs 7, the old versions contain a Prototype Pollution vulnerability. See GHSA-h755-8qp9-cq85 for more information |
Hi @ping-localhost , thanks for the link. Per above we're waiting on someone to volunteer for this work/submit a PR. If you have a client/org that absolutely needs this upgrade/security issue fixed, I very occasionally do consulting for ts-proto work, so feel free to drop me an email, but really I'd prefer if someone would work on a PR, and then I'd be happy to merge it. Thanks! |
Just personal use. I use
It seems that there is already a PR pending #867, but I'll take a closer look, since I see there is another PR that is failing. |
Sorry for not following up on this, @stephenh. I did intend to prepare a pull request, but never got around to it. (And before this advisory was published, it didn't seem urgent.) With #867 being open: How thorough is the test suite? Is it sufficient that the tests pass with the new dependency, or are further verifications necessary? |
Np @dbrgn ! The #867 is just for the Which is failing at the
Although the pbjs output is provided by the protobuf.js project, so perhaps they changed something in how that is published/invoked. |
With ProtobufJS 7 the CLI part was moved into a new package: protobufjs-cli (which includes Will try it myself a bit later on today, if nobody else does it before me. |
I'm on it. |
🎉 This issue has been resolved in version 1.153.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
protobufjs 7 has been out for almost a year now: https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md#700-2022-07-08 It contains quite a few bugfixes.
Are there any plans to upgrade to protobufjs 7.x? (I'm working in a project that uses both ts-proto and protobufjs, so this is currently an upgrade-blocker for me 🙂)
The text was updated successfully, but these errors were encountered: