NPM Vulnerability: protobuffjs 6.10.0 - 7.2.3

Just wanted to call this out as it impacts new installations of the @gathertown/gather-game-client npm package. Per this Github advisory, the version of protobuffjs that the gathertown websocket npm package uses has a vulnerability, which NPM yells about and can cause some headaches with deployments.

# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability -
fix available via `npm audit fix --force`
Will install protobufjs@7.2.4, which is a breaking change
  ts-proto  1.115.1 - 1.152.1
  Depends on vulnerable versions of protobufjs

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

For now I am probably just going to push through, as I want to be using the most recent version of the websocket protocols.

Has anyone else seen this/found a work around in the short term? I wanted to avoid going in and changing versions of files within a package (especially as those changes might have side-effects). @Kevin-RtR @npfoss

Hey @Bill_Uncork-It!

Sorry for just seeing this now! I’ve just been pushing through with this vulnerability as well. Looking forward to Nate’s (@npfoss) feedback though!


Sorry for the delay – this didn’t seem super concerning, but better to be sure. I’ll update and publish a new version this week.

Actually the vuln doesn’t apply to us at all (we’re not using custom .protos or the functions that were vulnerable), so I’m going to update this less urgently. It’ll be fixed by the next time we publish the package though

update: V43.0.1 released