Inquiry About npm Publication of v1.48.0 and Security Update for golang.org/x/crypto

[TMathers-rula]

Hello,

First, thank you for all your hard work on maintaining and improving this project. I noticed that the release of v1.48.0 is tagged here on GitHub, but it doesn't appear to be available on npm yet. I wanted to kindly ask if there is an expected timeline for publishing this version to the npm registry.

Additionally, I noticed that updating golang.org/x/crypto to its latest version (v0.31.0) as part of this release would mitigate the security vulnerability identified as CVE-2024-45337. This update could benefit projects that rely on @bufbuild/buf by addressing this vulnerability.

Could you please confirm if v1.48.0 is in the process of being published, or let us know if there are any blockers?

Thank you again for your efforts and for maintaining such a valuable tool!

Best regards,

Tiffany Mathers

[doriable]

Hello, we appreciate your kind sentiments about buf! We had some issues with our publishing workflows yesterday that have since been resolved and 1.48.0 is now available through NPM https://www.npmjs.com/package/@bufbuild/buf

And yep, we updated the version for this release so we could address the CVE, so that should all be resolved! I'm going to close the discussion, just because the version is available, but please feel free to either re-open or start a new issue/discussion if there are any other questions or concerns. Thanks!