chore(deps): pin protobufjs to >=8.0.2 to clear 7 transitive advisories #111

Merged
julien merged 1 commits from chore/deps/protobufjs into main 2026-05-12 19:16:19 +02:00
Owner

Summary

protobufjs 8.0.0 / 8.0.1 ship 7 fresh advisories (4 high, 3 moderate) pulled in transitively as @opentelemetry/exporter-trace-otlp-http → @opentelemetry/otlp-transformer → protobufjs. pnpm audit --audit-level=moderate flags them, which blocks the ci:audit gate on every push.

Pins the package directly via pnpm.overrides — same shape we already use for axios, brace-expansion, follow-redirects, ip-address, tmp, yaml. Resolution lands on protobufjs@8.2.0 (latest stable). The override is protobufjs@<8.0.2: ">=8.0.2" so it auto-yields the moment a non-vulnerable transitive lands and the override becomes a no-op — no need to remember to remove it.

Advisories cleared

ID Severity Issue
GHSA-66ff-xgx4-vchm high code generation gadget
GHSA-75px-5xx7-5xc7 high code generation gadget after prototype pollution
GHSA-jvwf-75h9-cwgg high process-wide DoS through unsafe option paths
GHSA-685m-2w69-288q high DoS through unbounded protobuf recursion
GHSA-q6x5-8v7m-xcrf moderate overlong UTF-8 decoding
GHSA-2pr8-phx7-x9h3 moderate DoS from crafted field names in generated code
GHSA-fx83-v9x8-x52w moderate prototype injection in generated message constructors

Test plan

  • pnpm audit --audit-level=moderateNo known vulnerabilities found
  • pnpm nx test portal-bff → 99/99 pass
  • pnpm nx build portal-bff → webpack compiled successfully
  • pnpm install resolves protobufjs@8.2.0 (verified in lockfile)
## Summary `protobufjs 8.0.0` / `8.0.1` ship 7 fresh advisories (4 high, 3 moderate) pulled in transitively as `@opentelemetry/exporter-trace-otlp-http → @opentelemetry/otlp-transformer → protobufjs`. `pnpm audit --audit-level=moderate` flags them, which blocks the `ci:audit` gate on every push. Pins the package directly via `pnpm.overrides` — same shape we already use for `axios`, `brace-expansion`, `follow-redirects`, `ip-address`, `tmp`, `yaml`. Resolution lands on `protobufjs@8.2.0` (latest stable). The override is `protobufjs@<8.0.2: ">=8.0.2"` so it auto-yields the moment a non-vulnerable transitive lands and the override becomes a no-op — no need to remember to remove it. ## Advisories cleared | ID | Severity | Issue | | ------------------- | -------- | ----------------------------------------------------- | | GHSA-66ff-xgx4-vchm | high | code generation gadget | | GHSA-75px-5xx7-5xc7 | high | code generation gadget after prototype pollution | | GHSA-jvwf-75h9-cwgg | high | process-wide DoS through unsafe option paths | | GHSA-685m-2w69-288q | high | DoS through unbounded protobuf recursion | | GHSA-q6x5-8v7m-xcrf | moderate | overlong UTF-8 decoding | | GHSA-2pr8-phx7-x9h3 | moderate | DoS from crafted field names in generated code | | GHSA-fx83-v9x8-x52w | moderate | prototype injection in generated message constructors | ## Test plan - [x] `pnpm audit --audit-level=moderate` → **No known vulnerabilities found** - [x] `pnpm nx test portal-bff` → 99/99 pass - [x] `pnpm nx build portal-bff` → webpack compiled successfully - [x] `pnpm install` resolves `protobufjs@8.2.0` (verified in lockfile)
julien added 1 commit 2026-05-12 19:16:05 +02:00
chore(deps): pin protobufjs to >=8.0.2 to clear 7 transitive advisories
CI / scan (pull_request) Successful in 2m37s
CI / commits (pull_request) Successful in 2m36s
CI / a11y (pull_request) Successful in 1m36s
CI / check (pull_request) Successful in 4m19s
CI / perf (pull_request) Successful in 4m51s
778e163ae9
protobufjs 8.0.0 / 8.0.1 ship 7 fresh advisories (4 high, 3 moderate
— prototype pollution, dos via unbounded recursion, code-gen gadget
after prototype pollution, etc.) that block `pnpm audit
--audit-level=moderate`, which the ci:audit gate runs on every push.

the vulnerable version is pulled in transitively as
@opentelemetry/exporter-trace-otlp-http
  > @opentelemetry/otlp-transformer
  > protobufjs

the otlp-transformer doesn't allow a clean parent bump yet, so this
pins the dep directly via pnpm.overrides — same shape we already
use for axios, brace-expansion, follow-redirects, ip-address, tmp,
and yaml. resolution lands on protobufjs@8.2.0 (latest stable). the
override is `protobufjs@<8.0.2: ">=8.0.2"` so it auto-yields the
moment a non-vulnerable transitive lands and the override becomes
a no-op.

advisories cleared:
  GHSA-66ff-xgx4-vchm  high      code generation gadget
  GHSA-75px-5xx7-5xc7  high      code generation gadget after prototype pollution
  GHSA-jvwf-75h9-cwgg  high      process-wide dos through unsafe option paths
  GHSA-685m-2w69-288q  high      dos through unbounded protobuf recursion
  GHSA-q6x5-8v7m-xcrf  moderate  overlong utf-8 decoding
  GHSA-2pr8-phx7-x9h3  moderate  dos from crafted field names in generated code
  GHSA-fx83-v9x8-x52w  moderate  prototype injection in generated message constructors

verified locally:
  pnpm audit --audit-level=moderate  ⇒  no known vulnerabilities found
  pnpm nx test portal-bff            ⇒  99/99 pass
  pnpm nx build portal-bff           ⇒  webpack compiled successfully
julien merged commit 2e9605a078 into main 2026-05-12 19:16:19 +02:00
julien deleted branch chore/deps/protobufjs 2026-05-12 19:16:21 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#111