chore(deps): pin protobufjs to >=8.0.2 to clear 7 transitive advisories
protobufjs 8.0.0 / 8.0.1 ship 7 fresh advisories (4 high, 3 moderate — prototype pollution, dos via unbounded recursion, code-gen gadget after prototype pollution, etc.) that block `pnpm audit --audit-level=moderate`, which the ci:audit gate runs on every push. the vulnerable version is pulled in transitively as @opentelemetry/exporter-trace-otlp-http > @opentelemetry/otlp-transformer > protobufjs the otlp-transformer doesn't allow a clean parent bump yet, so this pins the dep directly via pnpm.overrides — same shape we already use for axios, brace-expansion, follow-redirects, ip-address, tmp, and yaml. resolution lands on protobufjs@8.2.0 (latest stable). the override is `protobufjs@<8.0.2: ">=8.0.2"` so it auto-yields the moment a non-vulnerable transitive lands and the override becomes a no-op. advisories cleared: GHSA-66ff-xgx4-vchm high code generation gadget GHSA-75px-5xx7-5xc7 high code generation gadget after prototype pollution GHSA-jvwf-75h9-cwgg high process-wide dos through unsafe option paths GHSA-685m-2w69-288q high dos through unbounded protobuf recursion GHSA-q6x5-8v7m-xcrf moderate overlong utf-8 decoding GHSA-2pr8-phx7-x9h3 moderate dos from crafted field names in generated code GHSA-fx83-v9x8-x52w moderate prototype injection in generated message constructors verified locally: pnpm audit --audit-level=moderate ⇒ no known vulnerabilities found pnpm nx test portal-bff ⇒ 99/99 pass pnpm nx build portal-bff ⇒ webpack compiled successfully
This commit is contained in:
@@ -37,6 +37,7 @@
|
||||
"brace-expansion@<5.0.5": ">=5.0.5",
|
||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||
"ip-address@<10.1.1": ">=10.1.1",
|
||||
"protobufjs@<8.0.2": ">=8.0.2",
|
||||
"tmp@<0.2.4": ">=0.2.4",
|
||||
"yaml@<2.8.3": ">=2.8.3"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user