Skip to content

[GHSA-6628-q6j9-w8vg] gRPC Reachable Assertion issue#2488

Merged
advisory-database[bot] merged 1 commit intojonasfj/advisory-improvement-2488from
jonasfj-GHSA-6628-q6j9-w8vg
Jul 13, 2023
Merged

[GHSA-6628-q6j9-w8vg] gRPC Reachable Assertion issue#2488
advisory-database[bot] merged 1 commit intojonasfj/advisory-improvement-2488from
jonasfj-GHSA-6628-q6j9-w8vg

Conversation

@jonasfj
Copy link
Copy Markdown

@jonasfj jonasfj commented Jul 11, 2023

Updates

  • Affected products

Comments
The fix grpc/grpc@2485fa9 referenced in the description doesn't touch any code used by the Dart grpc implementation.

@github-actions github-actions Bot changed the base branch from main to jonasfj/advisory-improvement-2488 July 11, 2023 10:20
@darakian
Copy link
Copy Markdown
Contributor

darakian commented Jul 11, 2023

Hey there, is the dart code a parallel implementation?

@darakian darakian mentioned this pull request Jul 11, 2023
Merged
@jonasfj
Copy link
Copy Markdown
Author

jonasfj commented Jul 13, 2023
edited
Loading

is the dart code a parallel implementation?

Yes, if you look at the Dart package on pub.dev:
https://pub.dev/packages/grpc

It has pubspec.yaml with repository set to https://github.com/grpc/grpc-dart, see:
https://pub.dev/packages/grpc/pubspec

There is both a repository and a homepage field in the pubspec.yaml (some packages have both, some only have one of them, some link to a folder in a repository). But looking for github.com/<org>/<repo> with a regex works pretty reliably.

We have APIs that makes it easy to list all package names, and get the pubspec.yaml for each package, so it should be easy to create a mapping from package name to github repository. Feel free to hit me up for details jonasfj@google.com.

@jonasfj jonasfj mentioned this pull request Jul 13, 2023
Merged
@jonasfj
Copy link
Copy Markdown
Author

jonasfj commented Jul 13, 2023

Actually, looking at NuGet (where I don't have any expertise), it seems like:

Just by looking at the "Source repository" link on nuget.org.

@darakian
Copy link
Copy Markdown
Contributor

darakian commented Jul 13, 2023

Gotcha. I can go ahead and remove the dart package for this (and the other two). Looking at the nuget package it would see that Grpc.Core is an older implementation
https://github.com/grpc/grpc-dotnet#grpc-for-net-is-now-the-recommended-implementation
I'll update that as well 👍

We have APIs that makes it easy to list all package names, and get the pubspec.yaml for each package, so it should be easy to create a mapping from package name to github repository. Feel free to hit me up for details jonasfj@google.com.

The edge cases end up being the hard part for that mapping. Will reach out whenever I get to it though 😄

@advisory-database advisory-database Bot merged commit 3327661 into jonasfj/advisory-improvement-2488 Jul 13, 2023
@advisory-database advisory-database Bot deleted the jonasfj-GHSA-6628-q6j9-w8vg branch July 13, 2023 20:45
@advisory-database
Copy link
Copy Markdown
Contributor

advisory-database Bot commented Jul 13, 2023

Hi @jonasfj! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonasfj @darakian