[Bug]: CVE-2022-25878 in protobufjs 6.8.8. Severity: Medium

[mohamedmansour]

What happened?

We are using the tsec package which has (pnpm ls --depth=3):

tsec 0.2.8
├─┬ @bazel/concatjs 5.8.1 peer
│ ├─┬ protobufjs 6.8.8
│ │ ├── @protobufjs/aspromise 1.1.2
│ │ ├── ...

And the only one published package for @bazel/concatjs is 5.8.1, but the one in the source code is 5.8.2 (not published) which doesn't have the protobufjs vulnerability. Can we publish the 5.8.2 ?

Version

Linux, pnpm v9.1.1, @bazel/concatjs v5.8.1

How to reproduce

Install `tsec` package which has a peerDependency to `"@bazel/concatjs": ">=5.3.0",` https://github.com/google/tsec/blob/main/packages/tsec/package.json

Any other information?

No response

[gregmagolan]

@bazel/concatjs is not maintained anymore so a publish from the latest commit on the 5.x is not likely to happen unless new maintainers step up for rules_nodejs 5.x.

My recommendation is to upgrade to rules_js and rules_ts and use js_run_devserver for your devserver if possible. What project are you working on where you are still using @bazel/concatjs?

[mohamedmansour]

Hi @gregmagolan I am using https://github.com/google/tsec which finds possible XSS issues in code.

[gregmagolan]

Hi @gregmagolan I am using https://github.com/google/tsec which finds possible XSS issues in code.

Sorry. I meant which project is using @bazel/concatjs and if you can upgrade to rules_js & rules_ts there instead of using @bazel/concatjs which is no longer maintained.