diff --git a/.changeset/security-protobufjs-basic-ftp-fixes.md b/.changeset/security-protobufjs-basic-ftp-fixes.md new file mode 100644 index 0000000..c128474 --- /dev/null +++ b/.changeset/security-protobufjs-basic-ftp-fixes.md @@ -0,0 +1,20 @@ +--- +"@connectum/otel": patch +--- + +security(deps): force patched versions of protobufjs and basic-ftp via pnpm overrides + +Resolves Dependabot alerts on main branch: + +- **GHSA-xq3m-2v4x-88gg** (Critical) — Arbitrary code execution in protobufjs < 7.5.5 + (transitive via `@grpc/proto-loader` under OTel gRPC exporters). +- **GHSA-xq3m-2v4x-88gg** (Critical) — Arbitrary code execution in protobufjs 8.0.0 + (transitive via `@opentelemetry/otlp-transformer`). +- **GHSA-chqc-8p9q-pq6q** (High) — basic-ftp 5.2.0 FTP Command Injection via CRLF + (dev-only transitive via `@exodus/test` → puppeteer-core). +- **GHSA-6v7q-wjvx-w8wg** (High) — basic-ftp ≤ 5.2.1 incomplete CRLF protection + (dev-only transitive via `@exodus/test` → puppeteer-core). + +No runtime API changes. Only `pnpm.overrides` in the monorepo root were adjusted +to force patched transitive versions: `protobufjs@<7.5.5 → 7.5.5`, +`protobufjs@>=8.0.0 <8.0.1 → 8.0.1`, `basic-ftp@<5.2.2 → 5.2.2`. diff --git a/package.json b/package.json index 7b3c4d3..93b9ac8 100644 --- a/package.json +++ b/package.json @@ -56,11 +56,13 @@ "overrides": { "ajv@<8.18.0": "8.18.0", "minimatch@<10.2.3": "10.2.3", - "basic-ftp@<5.2.0": "5.2.0", + "basic-ftp@<5.2.2": "5.2.2", "rollup@>=4.0.0 <4.59.0": "4.59.0", "picomatch@<2.3.2": "2.3.2", "picomatch@>=4.0.0 <4.0.4": "4.0.4", - "brace-expansion@>=4.0.0 <5.0.5": "5.0.5" + "brace-expansion@>=4.0.0 <5.0.5": "5.0.5", + "protobufjs@<7.5.5": "7.5.5", + "protobufjs@>=8.0.0 <8.0.1": "8.0.1" } }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f5074fd..6be1fdc 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -100,11 +100,13 @@ catalogs: overrides: ajv@<8.18.0: 8.18.0 minimatch@<10.2.3: 10.2.3 - basic-ftp@<5.2.0: 5.2.0 + basic-ftp@<5.2.2: 5.2.2 rollup@>=4.0.0 <4.59.0: 4.59.0 picomatch@<2.3.2: 2.3.2 picomatch@>=4.0.0 <4.0.4: 4.0.4 brace-expansion@>=4.0.0 <5.0.5: 5.0.5 + protobufjs@<7.5.5: 7.5.5 + protobufjs@>=8.0.0 <8.0.1: 8.0.1 importers: @@ -1795,10 +1797,9 @@ packages: resolution: {integrity: sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg==} hasBin: true - basic-ftp@5.2.0: - resolution: {integrity: sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==} + basic-ftp@5.2.2: + resolution: {integrity: sha512-1tDrzKsdCg70WGvbFss/ulVAxupNauGnOlgpyjKzeQxzyllBLS0CGLV7tjIXTK3ZQA9/FBEm9qyFFN1bciA6pw==} engines: {node: '>=10.0.0'} - deprecated: Security vulnerability fixed in 5.2.1, please upgrade better-path-resolve@1.0.0: resolution: {integrity: sha512-pbnl5XzGBdrFU/wT4jqmJVPn2B6UHPBOhzMQkY/SPUPB6QtUXtmBHBIwCbXJol93mOpGMnQyP/+BB19q04xj7g==} @@ -2816,8 +2817,8 @@ packages: resolution: {integrity: sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==} engines: {node: '>=0.4.0'} - protobufjs@7.5.4: - resolution: {integrity: sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==} + protobufjs@7.5.5: + resolution: {integrity: sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==} engines: {node: '>=12.0.0'} protobufjs@8.0.1: @@ -3987,7 +3988,7 @@ snapshots: dependencies: lodash.camelcase: 4.3.0 long: 5.3.2 - protobufjs: 7.5.4 + protobufjs: 7.5.5 yargs: 17.7.2 '@inquirer/external-editor@1.0.3(@types/node@25.3.3)': @@ -4588,7 +4589,7 @@ snapshots: baseline-browser-mapping@2.9.19: optional: true - basic-ftp@5.2.0: + basic-ftp@5.2.2: optional: true better-path-resolve@1.0.0: @@ -5085,7 +5086,7 @@ snapshots: get-uri@6.0.5: dependencies: - basic-ftp: 5.2.0 + basic-ftp: 5.2.2 data-uri-to-buffer: 6.0.2 debug: 4.4.3 transitivePeerDependencies: @@ -5688,7 +5689,7 @@ snapshots: progress@2.0.3: optional: true - protobufjs@7.5.4: + protobufjs@7.5.5: dependencies: '@protobufjs/aspromise': 1.1.2 '@protobufjs/base64': 1.1.2