chore(deps): update protobufjs to v8#3042
Merged
chrarnoldus merged 2 commits intomainfrom May 5, 2026
Merged
Conversation
Contributor
Author
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (2 files)
Reviewed by gpt-5.5-20260423 · 136,201 tokens |
johnnyeric
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
protobufjsfrom 7.5.4 to ^8.0.3 via apnpm.overridesentry in the rootpackage.json.protobufjsis not a direct dependency of any package in this repo; it is only pulled in transitively by@opentelemetry/otlp-transformer, which uses it to encode/decode OTLP protobuf payloads against its own pre-generated descriptors.Why the v8 breaking change does not impact us
The only breaking change in protobufjs v8.0.0 is the addition of Edition 2024 support in the
.protoparser. That affects code paths where.protofiles are parsed at runtime (or viapbjs/pbts) to buildRoot/Typedescriptors.We do not do that anywhere:
protobufjs..protofiles are shipped or loaded at runtime.@opentelemetry/otlp-transformer, uses bundled, statically generated OTLP descriptors and only usesprotobufjsfor wire-format encode/decode, which is unchanged by the Edition 2024 work.In addition to the edition work, v8 rolls up the 7.5.5 / 7.5.6 input-hardening and security fixes, so this is a safe upgrade for our usage.
Verification
grep -rn protobufjsacrosspackage.jsonfiles confirms no direct dependents; the only reference is thepnpm.onlyBuiltDependenciesallowlist entry (build-script approval, not a dep).pnpm-lock.yamlshowsprotobufjs@7.5.4only under@opentelemetry/otlp-transformer.pnpm install) intentionally skipped in this commit per the request; will be applied together with CI/typecheck in a follow-up run before merge.Visual Changes
N/A
Reviewer Notes
^8.0.3so we pick up 8.x patch releases automatically.pnpm installstill needs to be run to regenerate the lockfile before this can land — flagging so reviewers are not surprised by the missing lockfile update..protofiles at runtime, that code should be reviewed against the Edition 2024 parser changes, but nothing today does.