Vulnerabilies in @apollo/protobufjs (dependency of apollo-reporting-protobuf)

[belegur]

Hello, reporting here some security issues that we are receiving in the aws inspector.

The last version (1.2.4) of the @apollo/protobufjs fork has a lot of vulnerabilities in its cli package-lock.json.
This package-lock.json is distributed with the package, so we get all the security warnings when the inspector scans the file.

Hoisted from apollo-server-core#apollo-reporting-protobuf#@apollo#protobufjs

All these vulnerabilities have been fixed in the original protobufjs repository, but the fork is not keeping in sync.

Related vulnerabilities:
CVE-2021-44906
IN1-JS-LODASH-1040724
CVE-2022-21680
CVE-2021-23358

[glasser]

I doubt any of these are real problems affecting our users — you don't even run the CLI on your machine, just we do. Would your scanner be happier if we just added cli/package-lock.json to our npmignore to leave it out of the bundle?

[belegur]

Yes @glasser, I think that would be enough for us 👏

[fjaguero]

This would be beneficial for us as we are getting those vulnerabilities warnings.

[glasser]

Hmm. I added a .npmignore file which includes package-lock.json, but it's still showing up in v1.2.5! I'd expect npm pack --dry-run 2>&1 | grep package-lock (in the repo) to not print anything but it does. Am I doing something wrong?

[belegur]

Maybe you need to remove them from the files in the package.json. I believe that any file explicitly specified there will be published.

[glasser]

Heh, that seems right!

[glasser]

Looks like this will be fixed by #6967 which will go into Apollo Server v4 (currently in release candidate, should be released in a week or two)

[belegur]

Nice! Thank you @glasser