protobufjs 8.0.0 / 8.0.1 ship 7 fresh advisories (4 high, 3 moderate
— prototype pollution, dos via unbounded recursion, code-gen gadget
after prototype pollution, etc.) that block `pnpm audit
--audit-level=moderate`, which the ci:audit gate runs on every push.
the vulnerable version is pulled in transitively as
@opentelemetry/exporter-trace-otlp-http
> @opentelemetry/otlp-transformer
> protobufjs
the otlp-transformer doesn't allow a clean parent bump yet, so this
pins the dep directly via pnpm.overrides — same shape we already
use for axios, brace-expansion, follow-redirects, ip-address, tmp,
and yaml. resolution lands on protobufjs@8.2.0 (latest stable). the
override is `protobufjs@<8.0.2: ">=8.0.2"` so it auto-yields the
moment a non-vulnerable transitive lands and the override becomes
a no-op.
advisories cleared:
GHSA-66ff-xgx4-vchm high code generation gadget
GHSA-75px-5xx7-5xc7 high code generation gadget after prototype pollution
GHSA-jvwf-75h9-cwgg high process-wide dos through unsafe option paths
GHSA-685m-2w69-288q high dos through unbounded protobuf recursion
GHSA-q6x5-8v7m-xcrf moderate overlong utf-8 decoding
GHSA-2pr8-phx7-x9h3 moderate dos from crafted field names in generated code
GHSA-fx83-v9x8-x52w moderate prototype injection in generated message constructors
verified locally:
pnpm audit --audit-level=moderate ⇒ no known vulnerabilities found
pnpm nx test portal-bff ⇒ 99/99 pass
pnpm nx build portal-bff ⇒ webpack compiled successfully