Skip to content

fix(chore): gRPC Memory Allocation Vulnerability#6902

Merged
krupanand-bitgo merged 1 commit into
masterfrom
DX-1515_grpc_vul_fix
Sep 23, 2025
Merged

fix(chore): gRPC Memory Allocation Vulnerability#6902
krupanand-bitgo merged 1 commit into
masterfrom
DX-1515_grpc_vul_fix

Conversation

@krupanand-bitgo

Copy link
Copy Markdown
Contributor

Updated @hashgraph/sdk from version 2.29.0 to 2.72.0 to use a patched version of @grpc/grpc-js that fixes the memory allocation vulnerability.
Added a resolution override for @grpc/grpc-js in the root package.json to ensure all dependencies use the patched version (^1.12.6).

Ticket: DX-1515

@krupanand-bitgo
krupanand-bitgo force-pushed the DX-1515_grpc_vul_fix branch 3 times, most recently from 8592176 to 9831801 Compare September 9, 2025 10:22
mukeshsp
mukeshsp previously approved these changes Sep 9, 2025
abhi-bitgo
abhi-bitgo previously approved these changes Sep 9, 2025
akarath
akarath previously approved these changes Sep 9, 2025

@akarath akarath left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@krupanand-bitgo
krupanand-bitgo marked this pull request as ready for review September 10, 2025 07:28
@krupanand-bitgo
krupanand-bitgo requested a review from a team September 10, 2025 07:28
@krupanand-bitgo
krupanand-bitgo requested review from a team as code owners September 10, 2025 07:28
0xPrabh
0xPrabh previously approved these changes Sep 10, 2025
Comment thread package.json
therealdwright
therealdwright previously approved these changes Sep 11, 2025
zahin-mohammad
zahin-mohammad previously approved these changes Sep 11, 2025
@krupanand-bitgo

Copy link
Copy Markdown
Contributor Author

This PR was temporarily closed because I accidentally pushed the wrong head. I've now pushed the correct head with the latest changes and reopened the PR.

@zahin-mohammad

Copy link
Copy Markdown
Contributor

This PR was temporarily closed because I accidentally pushed the wrong head. I've now pushed the correct head with the latest changes and reopened the PR.

Could you rebase your PR?

fix gRPC Memory Allocation Vulnerability
Ticket: DX-1515

@jimethn jimethn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure none of these packages are affected by the NPM worm that's been going around?

@krupanand-bitgo

Copy link
Copy Markdown
Contributor Author

Don't we have a semi-code freeze on NPM updates?

updated yarn.lock file

@krupanand-bitgo

Copy link
Copy Markdown
Contributor Author

are you sure none of these packages are affected by the NPM worm that's been going around?

Yes, I've verified that none of the packages being upgraded in this PR are affected by the recent NPM supply chain attacks. I cross-checked them against the known vulnerable packages listed in the following reports:
NPM debug and chalk packages compromised
S1ngularity/NX attackers strike again

@krupanand-bitgo
krupanand-bitgo merged commit d604587 into master Sep 23, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants