Update to protobufjs 7

[dbrgn]

protobufjs 7 has been out for almost a year now: https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md#700-2022-07-08 It contains quite a few bugfixes.

Are there any plans to upgrade to protobufjs 7.x? (I'm working in a project that uses both ts-proto and protobufjs, so this is currently an upgrade-blocker for me 🙂)

[stephenh]

@dbrgn I'd love to see an upgrade to protobuf 7, but personally am more in "stewardship mode" for ts-proto that actively making changes; would be great if you wanted to take this on, and I'd be happy to help out on the PR.

Can you tell how big of an upgrade it will be? Scanning the release notes, it doesn't seem too bad?

[vriesk]

Upping this.

There have been recent security issues with protobufjs, fixed in 7.2.4 release.

[ping-localhost]

Please update to protobufjs 7, the old versions contain a Prototype Pollution vulnerability.

See GHSA-h755-8qp9-cq85 for more information

[stephenh]

Hi @ping-localhost , thanks for the link. Per above we're waiting on someone to volunteer for this work/submit a PR.

If you have a client/org that absolutely needs this upgrade/security issue fixed, I very occasionally do consulting for ts-proto work, so feel free to drop me an email, but really I'd prefer if someone would work on a PR, and then I'd be happy to merge it. Thanks!

[ping-localhost]

If you have a client/org that absolutely needs this upgrade/security issue fixed [...]

Just personal use. I use npm audit whenever I'm building something, which is how I found out about the security issue.

Per above we're waiting on someone to volunteer for this work/submit a PR.

It seems that there is already a PR pending #867, but I'll take a closer look, since I see there is another PR that is failing.

[dbrgn]

Sorry for not following up on this, @stephenh. I did intend to prepare a pull request, but never got around to it. (And before this advisory was published, it didn't seem urgent.)

With #867 being open: How thorough is the test suite? Is it sufficient that the tests pass with the new dependency, or are further verifications necessary?

[stephenh]

Np @dbrgn ! The #867 is just for the /protos subdirectory; I think the primary dependabot for protobuf 7 PR is this one:

#866

Which is failing at the pbjs part of the build, which seems kinda surprising:

Run ./integration/pbjs.sh
Usage Error: Couldn't find a script named "pbjs".

Although the pbjs output is provided by the protobuf.js project, so perhaps they changed something in how that is published/invoked.

[ping-localhost]

With ProtobufJS 7 the CLI part was moved into a new package: protobufjs-cli (which includes pbjs and pbts). I think that the PR should be fixed by requiring this new package. 🤔

Will try it myself a bit later on today, if nobody else does it before me.

[threema-lenny]

I'm on it.

[stephenh]

🎉 This issue has been resolved in version 1.153.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release
• v1.153.0

Your semantic-release bot 📦🚀