Skip to content

fix(deps): vuln protobufjs (minor → 7.6.4) #2362

Merged
Drarig29 merged 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781556597
Jun 26, 2026
Merged

fix(deps): vuln protobufjs (minor → 7.6.4) #2362
Drarig29 merged 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781556597

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.5.3 7.6.4 minor Transitive 1 CRITICAL, 5 HIGH, 5 MEDIUM

Security Details

🚨 Critical & High Severity (6 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.5.3 8.0.1
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.5.3 7.5.6
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.5.3 7.5.6
protobufjs GHSA-wcpc-wj8m-hjx6 HIGH protobufjs: Denial of service through unbounded Any expansion during JSON conversion 7.5.3 7.6.1
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.5.3 7.5.6
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.5.3 7.5.6
ℹ️ Other Vulnerabilities (5)
Package CVE Severity Summary Unsafe Version Fixed In
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.5.3 7.5.6
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.5.3 7.5.8
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.5.3 7.5.6
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.5.3 7.5.6
protobufjs GHSA-f38q-mgvj-vph7 MODERATE protobufjs : Schema-derived names can shadow runtime-significant properties 7.5.3 7.6.3

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

PR labels | Categorize PR   View in Datadog   GitHub Actions

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 5504c02 | Docs | Datadog PR Page | Give us feedback!

@dd-prapprover

dd-prapprover Bot commented Jun 16, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T13:47:45Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

@Drarig29
Drarig29 merged commit 59dac54 into master Jun 26, 2026
39 of 41 checks passed
@Drarig29
Drarig29 deleted the engraver-auto-version-upgrade/minorpatch/npm/0-1781556597 branch June 26, 2026 09:11
@ava-silver ava-silver mentioned this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant