fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2

1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10 2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1 3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1 This is the second try at fixing this issue. For some reason the first PR didn't get it done. The most likely reason is that other commits in the meantime added back the vulnerable versions of the packages, but I'm not a 100% sure. [skip ci] Fixes hyperledger-cacti#2682 Signed-off-by: Peter Somogyvari <[email protected]>
petermetz · Oct 13, 2023 · ef49b40 · ef49b40
1 parent a04fc5b
commit ef49b40
Show file tree

Hide file tree

Showing 5 changed files with 625 additions and 382 deletions.
diff --git a/examples/cactus-example-cbdc-bridging-backend/package.json b/examples/cactus-example-cbdc-bridging-backend/package.json
@@ -73,9 +73,9 @@
     "axios": "^0.27.2",
     "crypto-js": "4.1.1",
     "dotenv": "^16.0.1",
-    "fabric-network": "2.2.10",
+    "fabric-network": "2.2.18",
     "fs-extra": "10.1.0",
-    "ipfs-http-client": "51.0.1",
+    "ipfs-http-client": "60.0.1",
     "knex": "2.5.1",
     "nyc": "^13.1.0",
     "openapi-types": "9.1.0",

diff --git a/extensions/cactus-plugin-object-store-ipfs/package.json b/extensions/cactus-plugin-object-store-ipfs/package.json
@@ -59,7 +59,7 @@
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
     "axios": "0.21.4",
-    "ipfs-http-client": "51.0.1",
+    "ipfs-http-client": "60.0.1",
     "run-time-error": "1.4.0",
     "typescript-optional": "2.0.1",
     "uuid": "8.3.2"

diff --git a/packages/cactus-plugin-keychain-google-sm/package.json b/packages/cactus-plugin-keychain-google-sm/package.json
@@ -55,7 +55,7 @@
     "webpack:dev:web": "webpack --env=dev --target=web --config ../../webpack.config.js"
   },
   "dependencies": {
-    "@google-cloud/secret-manager": "3.9.0",
+    "@google-cloud/secret-manager": "5.0.1",
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",

diff --git a/packages/cactus-plugin-odap-hermes/package.json b/packages/cactus-plugin-odap-hermes/package.json
@@ -73,7 +73,7 @@
     "@types/tape": "4.13.4",
     "crypto-js": "4.0.0",
     "fabric-network": "2.2.18",
-    "ipfs-http-client": "51.0.1",
+    "ipfs-http-client": "60.0.1",
     "typescript": "4.9.5"
   },
   "engines": {