-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest Otel JS Release #768
Comments
Hi, 2.3.0 has been released now |
@seemk Looks like package referencing to old version. Here is screens. Please check and advice. ====================================================== |
@seemk upon further analysis the latest version 2.3.0, I assume below modules protobufjs still referring to before 7.2.4 versions |
Please do open the caseThanks & Regards,Kumar.On Aug 2, 2023, at 3:37 PM, Siim Kallas ***@***.***> wrote:
Closed #768 as completed.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Can you elaborate what's the current issue? |
The latest OTEL JS 2.3.0 had updated protobuf version 7.2.4. But post performing NexusIQ scan I do noticed few modules still referring to previous protobuf version 7.2.3 instead of 7.2.4. Please do review the provided screens for modules that complained. On Aug 3, 2023, at 11:53 AM, Siim Kallas ***@***.***> wrote:
Can you elaborate what's the current issue?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Can you show the security issue? From the screens it looks everything is using 7.2.4 |
You can check here that everything is using |
@seemk Please find below screens that referring old versions in package-lock.json |
@seemk I did performed NexusIQ scanning against Otel JS v2.4.0 but no luck, still policy violation reported for protobufjs : 7.2.4 |
Is this the same CVE as in this issue? protobufjs/protobuf.js#1918 |
Yeah it’s same modules that reported earlier.On Aug 23, 2023, at 2:25 AM, Siim Kallas ***@***.***> wrote:
Is this the same CVE as in this issue? protobufjs/protobuf.js#1918
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
@seemk Please do provide timelines for bumping protobuf ( source & dist files) to 7.2.5 to address CVE. I did quick validation https://npmgraph.js.org/?q=%40splunk%2Fotel and every thing pointing to 7.25 but latest 2.6.0 version package.json references to 7.2.4. Appreciate your response. |
@kumachop2 Version |
@seemk Thank You for the upgrade and noticed still package-lock.json have protobuf.js 7.2.4 & 7.2.3 references. splunk-otel-js/package-lock.json Line 2419 in 1983346
|
I'm looking for latest Otel JS version that should be bundle with Pull Request #753 changes. Please do advice.
The text was updated successfully, but these errors were encountered: