version 10.0.1 depends on vulnerable protobufjs

[slowtick]

Version 10.0.1 of @google-cloud/datastore library sets "protobufjs": "7.0.0" which has a critical vulnerability.

# npm audit report

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install @google-cloud/datastore@9.2.1, which is a breaking change
node_modules/@google-cloud/datastore/node_modules/protobufjs
  @google-cloud/datastore  >=10.0.1
  Depends on vulnerable versions of protobufjs
  node_modules/@google-cloud/datastore

2 critical severity vulnerabilities

Overriding to "protobufjs": "^7.0.0" seem to bring in latest of protobufjs that mitigates the vulnerability & seem to work okay in our tests.

Can this dependency be updated and released?

[cebrix]

We are having same issue.

[cristianrgreco]

@danieljbruce any chance this can be looked at? We have dependabot proposing to introduce critical vulnerabilities

[pablocoberly]

Same issue here. We'd rather not have to revert to a version using pre-node node 18.

[matt-blanchette]

The strict "protobufjs": "7.0.0" version is inconsistent with dependency google-gax

google-gax 5.0.2-rc.1 depends on "protobufjs": "^7.5.0"
Latest google-gax 5.0.1 depends on "protobufjs": "^7.5.3"

But it looks like protobufjs 7.5 isn't compatible at the moment (see #1400)

[kirillgroshkov]

Is PR to fix this (to switch to ^) welcome?