Description
The latest version of @convergence/convergence (1.0.0-rc.12) uses a vulnerable version of protobufjs (6.11.2) as a dependency. This version has known security vulnerabilities flagged by npm audits.
Affected Versions
- @convergence/convergence: 1.0.0-rc.12
- protobufjs: 6.11.2
The following vulnerabilities are present in protobufjs@6.11.2:
Expected Behavior
The library should use a patched version of protobufjs@6.11.4 to avoid the vulnerability.
Steps to Reproduce
- Install @convergence/convergence@1.0.0-rc.12 in your project.
- Run npm audit or check the package-lock.json.
- Observe the flagged vulnerabilities for protobufjs.
Proposed Fix
Update the dependency version of protobufjs in @convergence/convergence to 6.11.4 or a later version where the vulnerability is patched.
Workarounds
Currently, to mitigate the issue, developers can use npm overrides to enforce protobufjs@6.11.4. However, this is not a sustainable long-term solution, and updating the dependency at the library level is recommended.
Request
Please update the dependency in the next release of @convergence/convergence. This will help developers maintain secure and compliant applications.