NPM Vulnerability: protobuffjs 6.10.0 - 7.2.3

Just wanted to call this out as it impacts new installations of the @gathertown/gather-game-client npm package. Per this Github advisory, the version of protobuffjs that the gathertown websocket npm package uses has a vulnerability, which NPM yells about and can cause some headaches with deployments.

# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install protobufjs@7.2.4, which is a breaking change
node_modules/protobufjs
  ts-proto  1.115.1 - 1.152.1
  Depends on vulnerable versions of protobufjs
  node_modules/ts-proto

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

For now I am probably just going to push through, as I want to be using the most recent version of the websocket protocols.

Has anyone else seen this/found a work around in the short term? I wanted to avoid going in and changing versions of files within a package (especially as those changes might have side-effects). @Kevin-RtR @npfoss

Hey @Bill_Uncork-It!

Sorry for just seeing this now! I’ve just been pushing through with this vulnerability as well. Looking forward to Nate’s (@npfoss) feedback though!

Best,
Kevin

Sorry for the delay – this didn’t seem super concerning, but better to be sure. I’ll update and publish a new version this week.

Actually the vuln doesn’t apply to us at all (we’re not using custom .protos or the functions that were vulnerable), so I’m going to update this less urgently. It’ll be fixed by the next time we publish the package though

update: V43.0.1 released