Upgrade transitive dependency protobuf-java to fix security vulnerability #1440

cowwoc · 2024-10-24T15:22:04Z

What happened?

IntelliJ reports that Pulumi 0.16.1 depends on a vulnerable version of protobuf-java: https://osv.dev/vulnerability/GHSA-735f-pc8j-v9w8

Example

N/A

Output of `pulumi about`

N/A

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

The text was updated successfully, but these errors were encountered:

cowwoc · 2024-10-24T19:40:55Z

Workaround:

<dependency>
	<groupId>com.pulumi</groupId>
	<artifactId>pulumi</artifactId>
	<version>0.16.1</version>
	<exclusions>
		<exclusion>
			<groupId>com.google.protobuf</groupId>
			<artifactId>protobuf-java</artifactId>
		</exclusion>
	</exclusions>
</dependency>
<dependency>
	<groupId>com.google.protobuf</groupId>
	<artifactId>protobuf-java</artifactId>
	<version>4.28.3</version>
</dependency>

cowwoc added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Oct 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade transitive dependency protobuf-java to fix security vulnerability #1440

Upgrade transitive dependency protobuf-java to fix security vulnerability #1440

cowwoc commented Oct 24, 2024 •

edited

Loading

cowwoc commented Oct 24, 2024

Upgrade transitive dependency protobuf-java to fix security vulnerability #1440

Upgrade transitive dependency protobuf-java to fix security vulnerability #1440

Comments

cowwoc commented Oct 24, 2024 • edited Loading

What happened?

Example

Output of pulumi about

Additional context

Contributing

cowwoc commented Oct 24, 2024

cowwoc commented Oct 24, 2024 •

edited

Loading

Output of `pulumi about`