fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2

1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10 2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1 3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1 This is the second try at fixing this issue. While it was in review other commits already snuck back in more older versions of the vulnerable dependency so before merging this I also add a resolution in the root package.json file to ensure that the vulnerable version is not used at all regardless of it being a dependency of a dependency. [skip ci] Fixes hyperledger#2682 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Yogesh01000100 · Oct 18, 2023 · 5f43c29 · 5f43c29
1 parent 5ba385a
commit 5f43c29
Show file tree

Hide file tree

Showing 6 changed files with 802 additions and 400 deletions.
diff --git a/examples/cactus-example-cbdc-bridging-backend/package.json b/examples/cactus-example-cbdc-bridging-backend/package.json
@@ -75,7 +75,7 @@
     "dotenv": "^16.0.1",
     "fabric-network": "2.2.19",
     "fs-extra": "10.1.0",
-    "ipfs-http-client": "51.0.1",
+    "ipfs-http-client": "60.0.1",
     "knex": "2.5.1",
     "nyc": "^13.1.0",
     "openapi-types": "9.1.0",

diff --git a/extensions/cactus-plugin-object-store-ipfs/package.json b/extensions/cactus-plugin-object-store-ipfs/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "axios": "0.21.4",
-    "ipfs-http-client": "51.0.1",
+    "ipfs-http-client": "60.0.1",
     "run-time-error": "1.4.0",
     "typescript-optional": "2.0.1",
     "uuid": "8.3.2"

diff --git a/package.json b/package.json
@@ -82,6 +82,7 @@
     "lodash": ">=4.17.21",
     "minimist": ">=1.2.6",
     "node-forge": ">=1.3.0",
+    "protobufjs": ">=7.2.5",
     "underscore": "1.13.2"
   },
   "devDependencies": {

diff --git a/packages/cactus-plugin-keychain-google-sm/package.json b/packages/cactus-plugin-keychain-google-sm/package.json
@@ -55,7 +55,7 @@
     "webpack:dev:web": "webpack --env=dev --target=web --config ../../webpack.config.js"
   },
   "dependencies": {
-    "@google-cloud/secret-manager": "3.9.0",
+    "@google-cloud/secret-manager": "5.0.1",
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",

diff --git a/packages/cactus-plugin-odap-hermes/package.json b/packages/cactus-plugin-odap-hermes/package.json
@@ -73,7 +73,7 @@
     "@types/tape": "4.13.4",
     "crypto-js": "4.0.0",
     "fabric-network": "2.2.19",
-    "ipfs-http-client": "51.0.1",
+    "ipfs-http-client": "60.0.1",
     "typescript": "4.9.5"
   },
   "engines": {