Hi Baodi, I ran npm audit and it has detected the following vulnerabilities:
``` $ npm audit # npm audit report json5 <1.0.2 || >=2.0.0 <2.2.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via `npm audit fix` node_modules/@babel/core/node_modules/json5 node_modules/json5 request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 fix available via `npm audit fix --force` Will install dtslint@3.6.4, which is a breaking change node_modules/request @qiwi/npm-registry-client * Depends on vulnerable versions of request node_modules/@qiwi/npm-registry-client @definitelytyped/utils >=0.0.88 Depends on vulnerable versions of @qiwi/npm-registry-client node_modules/@definitelytyped/utils dtslint >=3.6.6 Depends on vulnerable versions of @definitelytyped/utils node_modules/dtslint 5 vulnerabilities (4 moderate, 1 high) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force ``` How about cherry-picking this PR to address the high severity vulnerabilities? https://github.com/apache/pulsar-client-node/pull/270 Hideaki Oguni Yahoo Japan Corp. -----Original Message----- From: Hiroyuki Sakai <hsa...@yahoo-corp.jp> Reply-To: "dev@pulsar.apache.org" <dev@pulsar.apache.org> Date: Thursday, April 13, 2023 16:09 To: "dev@pulsar.apache.org" <dev@pulsar.apache.org> Subject: Re: [VOTE] Pulsar Node.js Client Release 1.8.2 Candidate 3 +1 (binding) * check the license headers * build the source * run producer/consumer with message listener (source/npm package) * verify checksum and signatures ========== Hiroyuki Sakai Yahoo Japan Corp. E-mail: hsa...@yahoo-corp.jp ________________________________ From: Baodi Shi <ba...@apache.org> Sent: Wednesday, April 12, 2023 18:12 To: dev@pulsar.apache.org <dev@pulsar.apache.org> Subject: [VOTE] Pulsar Node.js Client Release 1.8.2 Candidate 3 Hi everyone, This is the first release candidate for Apache Pulsar Node.js client, version 1.8.2. It fixes the following issues: https://github.com/apache/pulsar-client-node/pulls?q=is%3Apr+label%3Arelease%2Fv1.8.2+is%3Aclosed Please download the source files and review this release candidate: - Download the source package, verify shasum and asc - Follow the README.md <https://readme.md/<https://readme.md/>> to build and run the Pulsar Node.js client. The release candidate package has been published to the npm registry: https://www.npmjs.com/package/pulsar-client/v/1.8.2-rc.3<https://www.npmjs.com/package/pulsar-client/v/1.8.2-rc.3> You can install it by `npm i pulsar-client@1.8.2-rc.3 --pulsar_binary_host_mirror= https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/%60<https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/%60> and verify the package. You can refer to this repository to verify tls related features: https://github.com/shibd/pulsar-client-tls-test The vote will be open for at least 72 hours. It is adopted by majority approval, with at least 3 PMC affirmative votes. Source files: https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/pulsar-client-node-1.8.2-rc.3/<https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/pulsar-client-node-1.8.2-rc.3/> Pulsar's KEYS file containing PGP keys we use to sign the release: https://dist.apache.org/repos/dist/dev/pulsar/KEYS<https://dist.apache.org/repos/dist/dev/pulsar/KEYS> SHA-512 checksum: 98ff08092d3cd768a39499acac332cdec076a53b5521dad92c00810e8549165ede35eb3e2b1b6184265600e4e6a92356a2f142b1a1fa81d9c1461ac3c1e008f4 ./apache-pulsar-client-node-1.8.2.tar.gz The tag to be voted upon: v1.8.2-rc.3(c8e7c41 <https://github.com/apache/pulsar-client-node/commit/c8e7c41ee72c8a8f33cf1599ab87d0eabf45753c> ) https://github.com/apache/pulsar-client-node/releases/tag/v1.8.2-rc. <https://github.com/apache/pulsar-client-node/releases/tag/v1.8.2-rc.2>3 Please review and vote on the release candidate #1 for the version 1.8.2, as follows: [ ] +1, Approve the release [ ] -1, Do not approve the release (please provide specific comments) Thanks, Baodi Shi
