Hi, @Oguni Hideaki <hog...@yahoo-corp.jp> Thanks for your feedback.
How about cherry-picking this PR to address the high severity > vulnerabilities? > Sure, I’ll push 1.8.2-rc.4 latter. Let's wait another day and see if there is any other feedback. Thanks, Baodi Shi On Apr 13, 2023 at 17:46:23, Oguni Hideaki <hog...@yahoo-corp.jp> wrote: > Hi Baodi, > > I ran npm audit and it has detected the following vulnerabilities: > > ``` > $ npm audit > # npm audit report > > json5 <1.0.2 || >=2.0.0 <2.2.2 > Severity: high > Prototype Pollution in JSON5 via Parse Method - > https://github.com/advisories/GHSA-9c47-m6qq-7p4h > Prototype Pollution in JSON5 via Parse Method - > https://github.com/advisories/GHSA-9c47-m6qq-7p4h > fix available via `npm audit fix` > node_modules/@babel/core/node_modules/json5 > node_modules/json5 > > request * > Severity: moderate > Server-Side Request Forgery in Request - > https://github.com/advisories/GHSA-p8p7-x288-28g6 > fix available via `npm audit fix --force` > Will install dtslint@3.6.4, which is a breaking change > node_modules/request > @qiwi/npm-registry-client * > Depends on vulnerable versions of request > node_modules/@qiwi/npm-registry-client > @definitelytyped/utils >=0.0.88 > Depends on vulnerable versions of @qiwi/npm-registry-client > node_modules/@definitelytyped/utils > dtslint >=3.6.6 > Depends on vulnerable versions of @definitelytyped/utils > node_modules/dtslint > > 5 vulnerabilities (4 moderate, 1 high) > > To address issues that do not require attention, run: > npm audit fix > > To address all issues (including breaking changes), run: > npm audit fix --force > ``` > > How about cherry-picking this PR to address the high severity > vulnerabilities? > https://github.com/apache/pulsar-client-node/pull/270 > > Hideaki Oguni > Yahoo Japan Corp. > > -----Original Message----- > From: Hiroyuki Sakai <hsa...@yahoo-corp.jp> > Reply-To: "dev@pulsar.apache.org" <dev@pulsar.apache.org> > Date: Thursday, April 13, 2023 16:09 > To: "dev@pulsar.apache.org" <dev@pulsar.apache.org> > Subject: Re: [VOTE] Pulsar Node.js Client Release 1.8.2 Candidate 3 > > +1 (binding) > > * check the license headers > * build the source > * run producer/consumer with message listener (source/npm package) > * verify checksum and signatures > > ========== > Hiroyuki Sakai > Yahoo Japan Corp. > E-mail: hsa...@yahoo-corp.jp > > ________________________________ > From: Baodi Shi <ba...@apache.org> > Sent: Wednesday, April 12, 2023 18:12 > To: dev@pulsar.apache.org <dev@pulsar.apache.org> > Subject: [VOTE] Pulsar Node.js Client Release 1.8.2 Candidate 3 > > Hi everyone, > > This is the first release candidate for Apache Pulsar Node.js client, > version 1.8.2. > > It fixes the following issues: > > https://github.com/apache/pulsar-client-node/pulls?q=is%3Apr+label%3Arelease%2Fv1.8.2+is%3Aclosed > > Please download the source files and review this release candidate: > - Download the source package, verify shasum and asc > - Follow the README.md <https://readme.md/<https://readme.md/>> to > build and run the Pulsar > Node.js client. > > The release candidate package has been published to the npm registry: > > https://www.npmjs.com/package/pulsar-client/v/1.8.2-rc.3< > https://www.npmjs.com/package/pulsar-client/v/1.8.2-rc.3> > > You can install it by `npm i pulsar-client@1.8.2-rc.3 > --pulsar_binary_host_mirror= > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/%60< > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/%60> > and verify the package. > > You can refer to this repository to verify tls related features: > > https://github.com/shibd/pulsar-client-tls-test > > The vote will be open for at least 72 hours. It is adopted by majority > approval, with at least 3 PMC affirmative votes. > > Source files: > > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/pulsar-client-node-1.8.2-rc.3/ > < > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-client-node/pulsar-client-node-1.8.2-rc.3/ > > > > Pulsar's KEYS file containing PGP keys we use to sign the release: > https://dist.apache.org/repos/dist/dev/pulsar/KEYS< > https://dist.apache.org/repos/dist/dev/pulsar/KEYS> > > SHA-512 checksum: > > > 98ff08092d3cd768a39499acac332cdec076a53b5521dad92c00810e8549165ede35eb3e2b1b6184265600e4e6a92356a2f142b1a1fa81d9c1461ac3c1e008f4 > ./apache-pulsar-client-node-1.8.2.tar.gz > > The tag to be voted upon: > v1.8.2-rc.3(c8e7c41 > < > https://github.com/apache/pulsar-client-node/commit/c8e7c41ee72c8a8f33cf1599ab87d0eabf45753c > > > ) > https://github.com/apache/pulsar-client-node/releases/tag/v1.8.2-rc. > <https://github.com/apache/pulsar-client-node/releases/tag/v1.8.2-rc.2 > >3 > > Please review and vote on the release candidate #1 for the version > 1.8.2, as follows: > [ ] +1, Approve the release > [ ] -1, Do not approve the release (please provide specific comments) > > > Thanks, > Baodi Shi > >
