version 10.0.1 depends on vulnerable protobufjs

[slowtick]

Version 10.0.1 of @google-cloud/datastore library sets "protobufjs": "7.0.0" which has a critical vulnerability.

# npm audit report

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install @google-cloud/datastore@9.2.1, which is a breaking change
node_modules/@google-cloud/datastore/node_modules/protobufjs
  @google-cloud/datastore  >=10.0.1
  Depends on vulnerable versions of protobufjs
  node_modules/@google-cloud/datastore

2 critical severity vulnerabilities

Overriding to "protobufjs": "^7.0.0" seem to bring in latest of protobufjs that mitigates the vulnerability & seem to work okay in our tests.

Can this dependency be updated and released?

[cebrix]

We are having same issue.

[pablocoberly]

Same issue here. We'd rather not have to revert to a version using pre-node node 18.

[matt-blanchette]

The strict "protobufjs": "7.0.0" version is inconsistent with dependency google-gax

google-gax 5.0.2-rc.1 depends on "protobufjs": "^7.5.0"
Latest google-gax 5.0.1 depends on "protobufjs": "^7.5.3"

But it looks like protobufjs 7.5 isn't compatible at the moment (see #7150)

[kirillgroshkov]

Is PR to fix this (to switch to ^) welcome?

[tbinna]

This appears to have been fixed, but unfortunately, the change has not been released yet.

[akutuev]

Any updates there? Our commercial project relies on this library and Whitesource indicates it as Critical so we have to take actions ASAP

[cristianrgreco]

Exposing users to a critical vulnerability for over six months with zero maintainer response is a clear signal that it’s time to move away from this project.

[feychenie]

• still an issue with v10.1.0 of @google-cloud/datastore, protobuffjs is v7.4.0 but < 7.5.5 is vulnerable (level critical)
• and the library does not seem to have been copied from the now archived repo to this one, is it still maintained?
• if not, what is the alternative we should use?

[christhegrand]

This is also affecting @google-cloud/profiler.