Hi! Thanks for maintaining this SDK.
Currently `@google/genai@2.4.0` (and back through 2.0.0 + the 1.x line) declares:
```json
"dependencies": {
"google-auth-library": "^10.3.0",
"p-retry": "^4.6.2",
"protobufjs": "^7.5.4",
"ws": "^8.18.0"
}
```
This causes `bun audit` / `npm audit` to report multiple advisories that consumers can only close by overriding transitive ranges:
| Package |
Pinned range |
Advisory range |
Patched |
| `protobufjs` |
`^7.5.4` (resolves 7.5.4) |
`<=7.5.5` |
7.6.0 |
| `ws` |
`^8.18.0` (resolves 8.18.x) |
`>=8.0.0 <8.20.1` |
8.20.1 |
Through the SDK's deeper graph (`google-auth-library` → `gcp-metadata` → `gaxios` → ...) consumers also pick up advisories on `uuid`, `@hono/node-server`, `ip-address`, `fast-xml-builder`, `fast-uri`, `@protobufjs/utf8`, `@tootallnate/once`. Some of those will close transitively once `protobufjs` and `ws` move.
Specific advisories closed by bumping
Suggested fix
Bump the runtime ranges to known-safe minimums:
```json
"dependencies": {
"google-auth-library": "^10.3.0",
"p-retry": "^4.6.2",
"protobufjs": "^7.6.0",
"ws": "^8.20.1"
}
```
Both are semver-compatible with the current pin so no consumer-facing API changes.
Context
We just bumped from `1.52.0` → `2.0.1` as part of a security-driven dep refresh and were surprised to find `bun audit` report identical numbers before and after — the transitive ranges hadn't moved.
Happy to send a PR if helpful — let me know.
Hi! Thanks for maintaining this SDK.
Currently `@google/genai@2.4.0` (and back through 2.0.0 + the 1.x line) declares:
```json
"dependencies": {
"google-auth-library": "^10.3.0",
"p-retry": "^4.6.2",
"protobufjs": "^7.5.4",
"ws": "^8.18.0"
}
```
This causes `bun audit` / `npm audit` to report multiple advisories that consumers can only close by overriding transitive ranges:
Through the SDK's deeper graph (`google-auth-library` → `gcp-metadata` → `gaxios` → ...) consumers also pick up advisories on `uuid`, `@hono/node-server`, `ip-address`, `fast-xml-builder`, `fast-uri`, `@protobufjs/utf8`, `@tootallnate/once`. Some of those will close transitively once `protobufjs` and `ws` move.
Specific advisories closed by bumping
Suggested fix
Bump the runtime ranges to known-safe minimums:
```json
"dependencies": {
"google-auth-library": "^10.3.0",
"p-retry": "^4.6.2",
"protobufjs": "^7.6.0",
"ws": "^8.20.1"
}
```
Both are semver-compatible with the current pin so no consumer-facing API changes.
Context
We just bumped from `1.52.0` → `2.0.1` as part of a security-driven dep refresh and were surprised to find `bun audit` report identical numbers before and after — the transitive ranges hadn't moved.
Happy to send a PR if helpful — let me know.