Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: mitigate CVE-2024-37168 #1619

Closed
wants to merge 2 commits into from
Closed

fix: mitigate CVE-2024-37168 #1619

wants to merge 2 commits into from

Conversation

coreydaley
Copy link

@coreydaley coreydaley commented Jun 13, 2024
edited
Loading

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes #1620

@coreydaley coreydaley requested review from a team as code owners June 13, 2024 00:07
@product-auto-label product-auto-label bot added the size: xs Pull request size is extra small. label Jun 13, 2024
@coreydaley coreydaley changed the title Update package.json to mitigate CVE-2024-37168 fix: mitigate CVE-2024-37168 Jun 13, 2024
@conventional-commit-lint-gcf Conventional Commit Lint GCF
Copy link

🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use automerge label. Good luck human!

-- conventional-commit-lint bot
https://conventionalcommits.org/

@SmashingQuasar
Copy link

I think it would be a better alternative to change the package reference to a more lenient approach such as:

"@grpc/grpc-js": "^1.10.9",

Or to install DependaBot or similar to avoid having to handle this type of issue manually.
This package is widely used in Google projects and having vulnerable dependencies has serious repercussion on hundreds of projects.

@coreydaley
Copy link
Author

I think it would be a better alternative to change the package reference to a more lenient approach such as:

"@grpc/grpc-js": "^1.10.9",

Or to install DependaBot or similar to avoid having to handle this type of issue manually. This package is widely used in Google projects and having vulnerable dependencies has serious repercussion on hundreds of projects.

Updated per your suggestion. Thanks!

@coreydaley
Copy link
Author

@sofisl It looks like these two tests are failing on multiple recent pull requests. Is there a fix in the works?

@product-auto-label product-auto-label bot added size: u Pull request is empty. and removed size: xs Pull request size is extra small. labels Jun 20, 2024
@coreydaley
Copy link
Author

Superseded by #1622

@coreydaley coreydaley closed this Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sofisl sofisl sofisl approved these changes

Assignees
No one assigned
Labels
size: u Pull request is empty.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update grpc-js to ~1.10.9 to mitigate CVE-2024-37168
3 participants
@coreydaley @SmashingQuasar @sofisl