**Background** - Upgrading `steam-appticket` dependency via `steam-user` in /steam_bot (bump from `1.0.1` to `^2.0.1`) is proposed. - This upgrade requires `protobufjs@^7.5.6` to address some security vulnerability. **Blocking/Tracking** - Wait for merge/release of [steam-user PR #535](https://github.com/DoctorMcKay/node-steam-user/pull/535) **References** - Arbitrary code execution in protobufjs - https://github.com/advisories/GHSA-xq3m-2v4x-88gg - protobufjs has overlong UTF-8 decoding - https://github.com/advisories/GHSA-q6x5-8v7m-xcrf - protobuf.js: Denial of service from crafted field names in generated code - https://github.com/advisories/GHSA-2pr8-phx7-x9h3 - protobuf.js: Code injection through bytes field defaults in generated toObject code - https://github.com/advisories/GHSA-66ff-xgx4-vchm - protobuf.js: Prototype injection in generated message constructors - https://github.com/advisories/GHSA-fx83-v9x8-x52w - protobuf.js: Code generation gadget after prototype pollution - https://github.com/advisories/GHSA-75px-5xx7-5xc7 - protobuf.js: Process-wide denial of service through unsafe option paths - https://github.com/advisories/GHSA-jvwf-75h9-cwgg - protobuf.js: Denial of service through unbounded protobuf recursion - https://github.com/advisories/GHSA-685m-2w69-288q --- - This issue tracks the dependency upgrade and should be closed when the upstream PR is merged and released, and the fix can be applied locally.
Background
steam-appticketdependency viasteam-userin /steam_bot (bump from1.0.1to^2.0.1) is proposed.protobufjs@^7.5.6to address some security vulnerability.Blocking/Tracking
References