From d8016fa09da7c73b82dd380a90dfd55f52cecd0d Mon Sep 17 00:00:00 2001 From: Nicolas Noble Date: Tue, 22 May 2018 16:25:45 -0700 Subject: [PATCH] Create template issue for protobufjs specifically. --- .github/ISSUE_TEMPLATE/protobufjs_redos | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/protobufjs_redos diff --git a/.github/ISSUE_TEMPLATE/protobufjs_redos b/.github/ISSUE_TEMPLATE/protobufjs_redos new file mode 100644 index 00000000..a0505c4e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/protobufjs_redos @@ -0,0 +1,8 @@ +--- +name: ReDoS vulnerability +about: npm audit reports that protobufjs has a ReDoS vulnerability. + +--- +As I ran `npm install`, the tool told me that protobufjs has 1 moderate vulnerability, as described here: https://nodesecurity.io/advisories/605 + +The gRPC team is aware of this, and this issue would be a duplicate of #277. The gRPC package can't upgrade the protobufjs dependency without proceeding with a breaking change, and the fix has been backported to protobufjs 5.0.3 already - it's simply the nodesecurity.io database that is outdated.