grpc
/
grpc-node
mirror of https://github.com/grpc/grpc-node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update protobufjs_redos 

Add variants, newlines, changed words slightly.
This commit is contained in:
Michael Lumish 2018-05-22 17:23:24 -07:00 committed by GitHub
parent d8016fa09d
commit faa1169493
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/ISSUE_TEMPLATE/protobufjs_redos vendored
View File

@ -3,6 +3,10 @@ name: ReDoS vulnerability
about: npm audit reports that protobufjs has a ReDoS vulnerability. about: npm audit reports that protobufjs has a ReDoS vulnerability.
--- ---
As I ran `npm install`, the tool told me that protobufjs has 1 moderate vulnerability, as described here: https://nodesecurity.io/advisories/605 As I [ran `npm install`]/[ran 'npm audit']/[got a report from Snyk],
the tool told me that protobufjs has 1 moderate vulnerability exported
through the `grpc` package, as described here: https://nodesecurity.io/advisories/605
The gRPC team is aware of this, and this issue would be a duplicate of #277. The gRPC package can't upgrade the protobufjs dependency without proceeding with a breaking change, and the fix has been backported to protobufjs 5.0.3 already - it's simply the nodesecurity.io database that is outdated. The gRPC team is aware of this, and this issue is a duplicate of #277.
Upgrading this depdendency would be a breaking change, and the fix has been backported
to protobufjs 5.0.3 already; the [nodesecurity.io]/[Snyk] database is simply outdated.