Latest Otel JS Release

[kumachop2]

I'm looking for latest Otel JS version that should be bundle with Pull Request #753 changes. Please do advice.

[seemk]

Hi, 2.3.0 has been released now

[kumachop2]

@seemk Looks like package referencing to old version. Here is screens. Please check and advice.

v2.2.4:

======================================================
v2.3.0:

[kumachop2]

@seemk upon further analysis the latest version 2.3.0, I assume below modules protobufjs still referring to before 7.2.4 versions

[kumachop2]

Please do open the caseThanks & Regards,Kumar.On Aug 2, 2023, at 3:37 PM, Siim Kallas ***@***.***> wrote: Closed #768 as completed. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[seemk]

Can you elaborate what's the current issue?

[kumachop2]

The latest OTEL JS 2.3.0 had updated protobuf version 7.2.4. But post performing NexusIQ scan I do noticed few modules still referring to previous protobuf version 7.2.3 instead of 7.2.4. Please do review the provided screens for modules that complained. On Aug 3, 2023, at 11:53 AM, Siim Kallas ***@***.***> wrote: Can you elaborate what's the current issue? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[seemk]

Can you show the security issue? From the screens it looks everything is using 7.2.4

[seemk]

You can check here that everything is using 7.2.4: https://npmgraph.js.org/?q=%40splunk%2Fotel

[kumachop2]

@seemk Please find below screens that referring old versions in package-lock.json

[kumachop2]

@seemk I did performed NexusIQ scanning against Otel JS v2.4.0 but no luck, still policy violation reported for protobufjs : 7.2.4

[seemk]

Is this the same CVE as in this issue? protobufjs/protobuf.js#1918

[kumachop2]

Yeah it’s same modules that reported earlier.On Aug 23, 2023, at 2:25 AM, Siim Kallas ***@***.***> wrote: Is this the same CVE as in this issue? protobufjs/protobuf.js#1918 —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[kumachop2]

@seemk Please do provide timelines for bumping protobuf ( source & dist files) to 7.2.5 to address CVE. I did quick validation https://npmgraph.js.org/?q=%40splunk%2Fotel and every thing pointing to 7.25 but latest 2.6.0 version package.json references to 7.2.4. Appreciate your response.

[seemk]

@kumachop2 Version 2.6.1 of @splunk/otel now has protobuf.js 7.2.5

[kumachop2]

@seemk Thank You for the upgrade and noticed still package-lock.json have protobuf.js 7.2.4 & 7.2.3 references.

splunk-otel-js/package-lock.json

Line 2419 in 1983346

"protobufjs": "^7.2.3"