Skip to content

fix(deps): vuln unstable upgrades — 18 packages (unstable: 1 · minor: 10 · patch: 7) [src/currencyservice]#64

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/npm/currencyservice/2-1783347816
Open

fix(deps): vuln unstable upgrades — 18 packages (unstable: 1 · minor: 10 · patch: 7) [src/currencyservice]#64
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/npm/currencyservice/2-1783347816

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 26 packages upgraded (UNSTABLE changes included)

Manifests changed:

  • src/currencyservice (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.1.1 7.6.5 minor Transitive 3 CRITICAL, 5 HIGH, 5 MEDIUM
@grpc/grpc-js 1.8.0 1.14.4 minor Direct 2 HIGH, 2 MEDIUM
@opentelemetry/sdk-node 0.34.0 0.220.0 unstable Direct 1 HIGH
@grpc/proto-loader 0.7.4 0.8.1 unstable Direct -
@opentelemetry/sdk-trace-base 1.8.0 2.9.0 major Direct -
@opentelemetry/api 1.3.0 1.9.1 minor Direct -
@opentelemetry/context-async-hooks 1.8.0 1.30.1 minor Transitive -
@opentelemetry/exporter-zipkin 1.8.0 1.30.1 minor Transitive -
@opentelemetry/propagator-b3 1.8.0 1.30.1 minor Transitive -
@opentelemetry/propagator-jaeger 1.8.0 1.30.1 minor Transitive -
@opentelemetry/resources 1.0.0 1.30.1 minor Transitive -
@opentelemetry/sdk-metrics 1.8.0 1.30.1 minor Transitive -
@opentelemetry/sdk-trace-base 1.8.0 1.30.1 minor Direct -
@opentelemetry/sdk-trace-node 1.8.0 1.30.1 minor Transitive -
@opentelemetry/semantic-conventions 1.0.0 1.41.1 minor Transitive -
@types/node 18.11.9 18.19.130 minor Transitive -
debug 4.3.4 4.4.3 minor Transitive -
escalade 3.1.1 3.2.0 minor Transitive -
long 5.2.1 5.3.2 minor Transitive -
@grpc/proto-loader 0.7.4 0.7.15 patch Direct -
@opentelemetry/resources 1.0.0 1.0.1 patch Transitive -
@opentelemetry/semantic-conventions 1.0.0 1.0.1 patch Transitive -
@types/node 18.11.9 18.11.19 patch Transitive -
debug 4.3.4 4.3.7 patch Transitive -
escalade 3.1.1 3.1.2 patch Transitive -
long 5.2.1 5.2.5 patch Transitive -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (11 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.1.1 8.0.1 -
protobufjs CVE-2023-36665 CRITICAL - 7.1.1 - -
protobufjs GHSA-h755-8qp9-cq85 CRITICAL protobufjs Prototype Pollution vulnerability 7.1.1 7.2.5 -
@grpc/grpc-js GHSA-5375-pq7m-f5r2 HIGH @grpc/grpc-js: A malformed request can cause a server crash 1.8.0 1.9.16 -
@grpc/grpc-js GHSA-99f4-grh7-6pcq HIGH @grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash 1.8.0 1.9.16 -
@opentelemetry/sdk-node GHSA-q7rr-3cgh-j5r3 HIGH Prometheus exporter process crash via malformed HTTP request 0.34.0 0.217.0 -
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.1.1 7.5.6 -
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.1.1 7.5.6 -
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.1.1 7.5.6 -
protobufjs GHSA-wcpc-wj8m-hjx6 HIGH protobufjs: Denial of service through unbounded Any expansion during JSON conversion 7.1.1 7.6.1 -
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.1.1 7.5.6 -
ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In Case
@grpc/grpc-js CVE-2024-37168 MODERATE @grpc/grpc-js can allocate memory for incoming messages well above configured limits 1.8.0 - -
@grpc/grpc-js GHSA-7v5v-9h63-cj86 MODERATE @grpc/grpc-js can allocate memory for incoming messages well above configured limits 1.8.0 1.10.9 -
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.1.1 7.5.8 -
protobufjs GHSA-f38q-mgvj-vph7 MODERATE protobufjs : Schema-derived names can shadow runtime-significant properties 7.1.1 7.6.3 -
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.1.1 7.5.6 -
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.1.1 7.5.6 -
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.1.1 7.5.6 -

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants