Skip to content

fix(deps): pin protobufjs to 7.5.6 (CVE-2026-41242, Dependabot #132)#970

Merged
teallarson merged 1 commit into
mainfrom
ooda-plan-resolve-issue
May 13, 2026
Merged

fix(deps): pin protobufjs to 7.5.6 (CVE-2026-41242, Dependabot #132)#970
teallarson merged 1 commit into
mainfrom
ooda-plan-resolve-issue

Conversation

@teallarson
Copy link
Copy Markdown
Contributor

@teallarson teallarson commented May 13, 2026
edited by cursor Bot
Loading

Summary

  • Adds "protobufjs": "7.5.6" to pnpm.overrides in package.json to resolve Dependabot alert #132
  • Addresses GHSA-xq3m-2v4x-88gg / CVE-2026-41242 (CVSS 9.8) — crafted JSON descriptor allows arbitrary JS execution in protobufjs < 7.5.5
  • protobufjs@7.5.4 was a transitive dep via posthog-js → @opentelemetry/otlp-transformer → protobufjs ^7.3.0; we have no direct usage
  • Pins to exact 7.5.6 (not a range) to avoid floating to 7.5.7 which was released <7 days ago; mirrors existing tar override pattern

Test plan

  • pnpm install resolves cleanly — lockfile no longer references protobufjs@7.5.4
  • pnpm lint passes (3 pre-existing warnings, no errors)
  • pnpm test — 601/601 tests pass

🤖 Generated with Claude Code

Note

Low Risk
Low risk: dependency-resolution change only, pinning a transitive package to a patched version; main risk is unexpected runtime incompatibility from the forced protobufjs version.

Overview
Pins the transitive dependency protobufjs to 7.5.6 using pnpm.overrides in package.json.

Updates pnpm-lock.yaml so all references resolve to protobufjs@7.5.6 (and corresponding @protobufjs/* sub-deps), replacing the previously installed 7.5.4.

Reviewed by Cursor Bugbot for commit b98526a. Bugbot is set up for automated code reviews on this repo. Configure here.

@teallarson @claude
fix(deps): pin protobufjs to 7.5.6 to resolve CVE-2026-41242
b98526a 
Adds `protobufjs: "7.5.6"` to `pnpm.overrides` to address Dependabot
alert #132 (GHSA-xq3m-2v4x-88gg, CVSS 9.8). The vulnerable 7.5.4 was
a transitive dep via posthog-js → @opentelemetry/otlp-transformer.
Pattern mirrors the existing `tar` override.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment May 13, 2026 7:33pm

Request Review

@teallarson teallarson marked this pull request as ready for review May 13, 2026 19:49
@teallarson teallarson merged commit 9184c8a into main May 13, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nbarbettini nbarbettini nbarbettini approved these changes

@torresmateo torresmateo Awaiting requested review from torresmateo

@jottakka jottakka Awaiting requested review from jottakka

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@teallarson @nbarbettini