Update dependencies to address security vulnerabilities

Go vulnerabilities: - CVE-2023-45288 Node vulnerabilities: - CVE-2023-36665 Additional changes: - Require Node 16 for Node bindings. - Exploit Node 16 language features in TypeScript compiler. - Update patch version following last published release. - Update build tools. - Use latest language versions for vulnerability scan to avoid false positives from standard libraries. Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · Apr 11, 2024 · 669463d · 669463d
1 parent 15b265d
commit 669463d
Show file tree

Hide file tree

Showing 10 changed files with 1,860 additions and 635 deletions.
diff --git a/.github/workflows/ci-checks.yml b/.github/workflows/ci-checks.yml
@@ -11,7 +11,7 @@ on:
         value: ${{ jobs.check_version.outputs.binding_version }}
 
 env:
-  BINDING_VERSION: 0.3.3
+  BINDING_VERSION: 0.3.4
 
 jobs:
   check_release:

diff --git a/.github/workflows/node-bindings.yml b/.github/workflows/node-bindings.yml
@@ -34,7 +34,7 @@ jobs:
 
     - uses: actions/setup-node@v4
       with:
-        node-version: 14
+        node-version: 16
         cache: 'npm'
         cache-dependency-path: bindings/node/package-lock.json
         registry-url: https://registry.npmjs.org/

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -9,7 +9,7 @@ permissions:
   contents: read
 
 env:
-  GO_VERSION: '1.21.6'
+  GO_VERSION: '1.22'
 
 jobs:
   go:
@@ -34,7 +34,7 @@ jobs:
           cache: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 20
       - name: Scan
         run: make scan-node
 
@@ -48,7 +48,7 @@ jobs:
           cache: false
       - uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: 21
           distribution: temurin
           cache: maven
       - name: Scan

diff --git a/Makefile b/Makefile
@@ -25,15 +25,15 @@ HTTPS_GIT := https://github.com/hyperledger/fabric-protos.git
 SSH_GIT := ssh://[email protected]/hyperledger/fabric-protos.git
 
 # This controls the version of buf to install and use.
-BUF_VERSION := 1.25.1
+BUF_VERSION := 1.30.1
 # If true, Buf is installed from source instead of from releases
 BUF_INSTALL_FROM_SOURCE := false
 
-PROTOC_VERSION := 23.4
+PROTOC_VERSION := 25.3
 PROTOC_GEN_DOC_VERSION := 1.5.1
-PROTOC_GEN_GO_VERSION := 1.31.0
+PROTOC_GEN_GO_VERSION := 1.33.0
 PROTOC_GEN_GO_GRPC_VERSION := 1.3.0
-PROTOC_GEN_GRPC_JAVA_VERSION := 1.57.1
+PROTOC_GEN_GRPC_JAVA_VERSION := 1.63.0
 PROTOC_GEN_JS_VERSION := 3.21.2
 GRPC_TOOLS_VERSION := 1.12.4
 TS_PROTOC_GEN_VERSION := 0.15.0

diff --git a/bindings/go-apiv2/go.mod b/bindings/go-apiv2/go.mod
@@ -3,14 +3,13 @@ module github.com/hyperledger/fabric-protos-go-apiv2
 go 1.17
 
 require (
-	google.golang.org/grpc v1.57.0
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/grpc v1.63.2
+	google.golang.org/protobuf v1.33.0
 )
 
 require (
-	github.com/golang/protobuf v1.5.3 // indirect
-	golang.org/x/net v0.14.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
 )
diff --git a/bindings/go-apiv2/go.sum b/bindings/go-apiv2/go.sum
diff --git a/bindings/java/pom.xml b/bindings/java/pom.xml
@@ -6,7 +6,7 @@
 
   <groupId>org.hyperledger.fabric</groupId>
   <artifactId>fabric-protos</artifactId>
-  <version>0.3.3-SNAPSHOT</version>
+  <version>0.3.4-SNAPSHOT</version>
 
   <name>fabric-protos</name>
   <description>PROTO library for fabric-protos</description>
@@ -42,7 +42,7 @@
       <dependency>
         <groupId>io.grpc</groupId>
         <artifactId>grpc-bom</artifactId>
-        <version>1.57.1</version>
+        <version>1.63.0</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -58,10 +58,10 @@
       <groupId>io.grpc</groupId>
       <artifactId>grpc-stub</artifactId>
     </dependency>
-    <dependency>
-      <groupId>jakarta.annotation</groupId>
-      <artifactId>jakarta.annotation-api</artifactId>
-      <version>2.1.1</version>
+    <dependency> <!-- necessary for Java 9+ -->
+      <groupId>org.apache.tomcat</groupId>
+      <artifactId>annotations-api</artifactId>
+      <version>6.0.53</version>
       <scope>provided</scope>
     </dependency>
   </dependencies>
@@ -147,7 +147,7 @@
           <plugin>
             <groupId>org.cyclonedx</groupId>
             <artifactId>cyclonedx-maven-plugin</artifactId>
-            <version>2.7.9</version>
+            <version>2.7.11</version>
             <configuration>
               <includeCompileScope>true</includeCompileScope>
               <includeProvidedScope>false</includeProvidedScope>
@@ -235,7 +235,7 @@
       <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
       <plugin>
         <artifactId>maven-site-plugin</artifactId>
-        <version>3.12.1</version>
+        <version>4.0.0-M3</version>
       </plugin>
       <plugin>
         <artifactId>maven-project-info-reports-plugin</artifactId>