Skip to content

chore(deps): update dependency protobufjs to v8.6.5#1889

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/protobufjs-8.x
Jul 8, 2026
Merged

chore(deps): update dependency protobufjs to v8.6.5#1889
renovate[bot] merged 1 commit into
mainfrom
renovate/protobufjs-8.x

Conversation

@renovate

@renovate renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
protobufjs 8.6.48.6.5 age confidence

Release Notes

protobufjs/protobuf.js (protobufjs)

v8.6.5

Compare Source

Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "every weekend,every weekday after 5pm,every weekday before 8am"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner July 8, 2026 06:28
@renovate renovate Bot added dependencies renovate This is an automated PR by RenovateBot labels Jul 8, 2026
@renovate renovate Bot enabled auto-merge (squash) July 8, 2026 06:28
@renovate renovate Bot requested a review from teemow July 8, 2026 06:28
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

JS Dependency Audit

0 added · 0 removed · 167 total (0 vs base)

Projects audited
  • . (manager: yarn-berry)
  • ./packages/app (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./packages/backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./packages/backend-common (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./packages/backend-headless-service (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ai-chat (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ai-chat-backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ai-chat-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/auth-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/catalog-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/error-reporter-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/flux (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/flux-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs-backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs-common (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs-node (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/kubernetes-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/muster (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/muster-backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/scaffolder-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/techdocs-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ui-react (manager: unknown) — skipped on PR head: no recognized lockfile

No change in vulnerabilities compared to the base branch.

Full current vulnerability list (167)
  • 🔴 critical cipher-base (<=1.0.4) — cipher-base is missing type checks, leading to hash rewind and passing on crafted data advisory
  • 🔴 critical elliptic (<=6.6.0) — Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) advisory
  • 🔴 critical handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion advisory
  • 🔴 critical pbkdf2 (>=3.0.10 <=3.1.2) — pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos advisory
  • 🔴 critical pbkdf2 (>=1.0.0 <=3.1.2) — pbkdf2 silently disregards Uint8Array input, returning static keys advisory
  • 🔴 critical shell-quote (>=1.1.0 <=1.8.3) — shell-quote quote() does not escape newlines in object .op values advisory
  • 🟠 high @backstage/backend-defaults (<0.12.2) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
  • 🟠 high @backstage/plugin-scaffolder-node (>=0.12.0 <0.12.3) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
  • 🟠 high @backstage/plugin-scaffolder-node (<0.11.2) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
  • 🟠 high @grpc/grpc-js (>=1.14.0 <1.14.4) — @grpc/grpc-js: A malformed request can cause a server crash advisory
  • 🟠 high @grpc/grpc-js (>=1.14.0 <1.14.4) — @grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash advisory
  • 🟠 high @hono/node-server (<1.19.10) — @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware advisory
  • 🟠 high fast-uri (<=3.1.0) — fast-uri vulnerable to path traversal via percent-encoded dot segments advisory
  • 🟠 high fast-uri (<=3.1.1) — fast-uri vulnerable to host confusion via percent-encoded authority delimiters advisory
  • 🟠 high fast-xml-parser (>=4.0.0-beta.3 <4.5.5) — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) advisory
  • 🟠 high fast-xml-parser (>=5.0.0 <5.5.6) — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) advisory
  • 🟠 high flatted (<3.4.0) — flatted vulnerable to unbounded recursion DoS in parse() revive phase advisory
  • 🟠 high flatted (<=3.4.1) — Prototype Pollution via parse() in NodeJS flatted advisory
  • 🟠 high glob (>=10.2.0 <10.5.0) — glob CLI: Command injection via -c/--cmd executes matches with shell:true advisory
  • 🟠 high glob (>=11.0.0 <11.1.0) — glob CLI: Command injection via -c/--cmd executes matches with shell:true advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options advisory
  • 🟠 high hono (<4.12.25) — hono: CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard advisory
  • 🟠 high immutable (<3.8.3) — Immutable is vulnerable to Prototype Pollution advisory
  • 🟠 high jsonata (<2.2.0) — jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion advisory
  • 🟠 high jws (=4.0.0) — auth0/node-jws Improperly Verifies HMAC Signature advisory
  • 🟠 high jws (<3.2.3) — auth0/node-jws Improperly Verifies HMAC Signature advisory
  • 🟠 high linkify-it (<=5.0.0) — LinkifyIt#match scan loop has quadratic algorithmic complexity advisory
  • 🟠 high lodash (>=4.0.0 <=4.17.23) — lodash vulnerable to Code Injection via _.template imports key names advisory
  • 🟠 high lodash-es (>=4.0.0 <=4.17.23) — lodash vulnerable to Code Injection via _.template imports key names advisory
  • 🟠 high path-to-regexp (>=8.0.0 <8.4.0) — path-to-regexp vulnerable to Denial of Service via sequential optional groups advisory
  • 🟠 high picomatch (<2.3.2) — Picomatch has a ReDoS vulnerability via extglob quantifiers advisory
  • 🟠 high picomatch (>=4.0.0 <4.0.4) — Picomatch has a ReDoS vulnerability via extglob quantifiers advisory
  • 🟠 high tmp (<0.2.6) — tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape advisory
  • 🟠 high underscore (<=1.13.7) — Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack advisory
  • 🟡 moderate @babel/runtime (<7.26.10) — Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups advisory
  • 🟡 moderate @backstage/backend-common (0.25.0) — This package is deprecated, please follow the deprecation instructions for the exports you still use
  • 🟡 moderate @backstage/cli-common (<=0.1.16) — @backstage/cli-common has a possible resolveSafeChildPath Symlink Chain Bypass advisory
  • 🟡 moderate @backstage/plugin-circleci (0.3.35) — This package has been moved to the to the https://github.com/CircleCI-Public/backstage-plugin repository. You should migrate to using that instead.
  • 🟡 moderate @fortawesome/react-fontawesome (0.2.6) — v0.2.x is no longer supported. Unless you are still using FontAwesome 5, please update to v3.1.1 or greater.
  • 🟡 moderate @hono/node-server (<1.19.13) — @hono/node-server: Middleware bypass via repeated slashes in serveStatic advisory
  • 🟡 moderate @humanwhocodes/config-array (0.13.0) — Use @eslint/config-array instead
  • 🟡 moderate @humanwhocodes/object-schema (2.0.3) — Use @eslint/object-schema instead
  • 🟡 moderate @material-ui/core (4.12.4) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
  • 🟡 moderate @material-ui/lab (4.0.0-alpha.61) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
  • 🟡 moderate @material-ui/pickers (3.3.11) — This package no longer supported. It has been relaced by @mui/x-date-pickers
  • 🟡 moderate @material-ui/styles (4.11.5) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
  • 🟡 moderate @octokit/endpoint (>=9.0.5 <9.0.6) — @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/plugin-paginate-rest (>=1.0.0 <9.2.2) — @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/plugin-paginate-rest (>=9.3.0-beta.1 <11.4.1) — @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/request (>=1.0.0 <8.4.1) — @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/request-error (>=1.0.0 <5.1.1) — @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @react-hookz/deep-equal (1.0.4) — PACKAGE IS DEPRECATED AND WILL BE DETED SOON, USE @ver0/deep-equal INSTEAD
  • 🟡 moderate @rjsf/material-ui (5.24.13) — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
  • 🟡 moderate @sentry/browser (<7.119.1) — Sentry SDK Prototype Pollution gadget in JavaScript SDKs advisory
  • 🟡 moderate @types/http-proxy-middleware (1.0.0) — This is a stub types definition. http-proxy-middleware provides its own type definitions, so you do not need this installed.
  • 🟡 moderate @types/keyv (4.2.0) — This is a stub types definition. keyv provides its own type definitions, so you do not need this installed.
  • 🟡 moderate @ungap/structured-clone (1.3.0) — Potential CWE-502 - Update to 1.3.1 or higher
  • 🟡 moderate atlassian-openapi (1.0.19) — DEPRECATED: atlassian-openapi has moved to @atlassian/atlassian-openapi. The latest version is 1.0.6. Please update your dependency.
  • 🟡 moderate bn.js (>=5.0.0 <5.2.3) — bn.js affected by an infinite loop advisory
  • 🟡 moderate bn.js (<4.12.3) — bn.js affected by an infinite loop advisory
  • 🟡 moderate boolean (3.2.0) — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
  • 🟡 moderate brace-expansion (<1.1.13) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
  • 🟡 moderate brace-expansion (>=2.0.0 <2.0.3) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
  • 🟡 moderate brace-expansion (>=4.0.0 <5.0.5) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
  • 🟡 moderate brace-expansion (>=5.0.0 <5.0.6) — brace-expansion: Large numeric range defeats documented max DoS protection advisory
  • 🟡 moderate core-js (2.6.12) — core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
  • 🟡 moderate dompurify (>=3.1.3 <3.2.7) — DOMPurify contains a Cross-site Scripting vulnerability advisory
  • 🟡 moderate dompurify (>=3.1.3 <=3.3.1) — DOMPurify contains a Cross-site Scripting vulnerability advisory
  • 🟡 moderate dompurify (<=3.3.1) — DOMPurify ADD_ATTR predicate skips URI validation advisory
  • 🟡 moderate dompurify (<=3.3.1) — DOMPurify USE_PROFILES prototype pollution allows event handlers advisory
  • 🟡 moderate dompurify (<=3.3.3) — DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation advisory
  • 🟡 moderate dompurify (<3.4.0) — DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) advisory
  • 🟡 moderate dompurify (>=1.0.10 <3.4.0) — DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode advisory
  • 🟡 moderate dompurify (>=3.0.1 <3.4.0) — DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback advisory
  • 🟡 moderate dompurify (<3.3.2) — DOMPurify is vulnerable to mutation-XSS via Re-Contextualization advisory
  • 🟡 moderate dompurify (<3.4.7) — DOMPurify: Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR advisory
  • 🟡 moderate dompurify (<=3.4.5) — DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound instanceof checks advisory
  • 🟡 moderate dompurify (<=3.4.5) — DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM advisory
  • 🟡 moderate dompurify (<=3.4.6) — DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside .content advisory
  • 🟡 moderate dompurify (<=3.4.10) — DOMPurify: Permanent ALLOWED_ATTR pollution via setConfig() bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch) advisory
  • 🟡 moderate eslint (8.57.1) — This version is no longer supported. Please see https://eslint.org/version-support for other options.
  • 🟡 moderate fast-xml-parser (>=5.0.0 <5.5.7) — Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser advisory
  • 🟡 moderate fast-xml-parser (>=4.0.0-beta.3 <4.5.5) — Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser advisory
  • 🟡 moderate fast-xml-parser (<5.7.0) — fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters advisory
  • 🟡 moderate file-type (>=13.0.0 <21.3.1) — file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header advisory
  • 🟡 moderate follow-redirects (<=1.15.11) — follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets advisory
  • 🟡 moderate glob (7.2.3) — Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
  • 🟡 moderate handlebars (>=4.0.0 <4.7.9) — Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection advisory
  • 🟡 moderate handlebars (>=4.6.0 <=4.7.8) — Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry advisory
  • 🟡 moderate har-validator (5.1.5) — this library is no longer supported
  • 🟡 moderate hono (<4.12.12) — Hono missing validation of cookie name on write path in setCookie() advisory
  • 🟡 moderate hono (<4.12.12) — Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() advisory
  • 🟡 moderate hono (>=4.0.0 <=4.12.11) — Hono: Path traversal in toSSG() allows writing files outside the output directory advisory
  • 🟡 moderate hono (<4.12.12) — Hono: Middleware bypass via repeated slashes in serveStatic advisory
  • 🟡 moderate hono (<4.12.12) — Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses advisory
  • 🟡 moderate hono (<4.12.18) — Hono has CSS Declaration Injection via Style Object Values in JSX SSR advisory
  • 🟡 moderate hono (<4.12.18) — Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage advisory
  • 🟡 moderate hono (<4.12.16) — Hono: bodyLimit() can be bypassed for chunked / unknown-length requests advisory
  • 🟡 moderate hono (<4.12.16) — hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection advisory
  • 🟡 moderate hono (<4.12.21) — Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 advisory
  • 🟡 moderate hono (<4.12.21) — Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection advisory
  • 🟡 moderate hono (<4.12.21) — Hono: JWT middleware accepts any Authorization scheme, not only Bearer advisory
  • 🟡 moderate hono (<4.12.21) — Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths advisory
  • 🟡 moderate hono (<4.12.25) — hono: Path traversal in serve-static on Windows via encoded backslash (%5C) advisory
  • 🟡 moderate hono (<4.12.25) — hono: AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice advisory
  • 🟡 moderate hono (<4.12.25) — hono: Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length advisory
  • 🟡 moderate hono (<4.12.25) — hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest advisory
  • 🟡 moderate hono (<4.12.14) — hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR advisory
  • 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.5) — http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed advisory
  • 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.4) — http-proxy-middleware can call writeBody twice because "else if" is not used advisory
  • 🟡 moderate http-proxy-middleware (>=0.16.0 <2.0.10) — http-proxy-middleware router host+path substring matching allows Host-header-driven backend routing bypass advisory
  • 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.6) — http-proxy-middleware router host+path substring matching allows Host-header-driven backend routing bypass advisory
  • 🟡 moderate inflight (1.0.6) — This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
  • 🟡 moderate ip-address (<=10.1.0) — ip-address has XSS in Address6 HTML-emitting methods advisory
  • 🟡 moderate js-yaml (<3.15.0) — JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases advisory
  • 🟡 moderate js-yaml (>=4.0.0 <=4.1.1) — JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases advisory
  • 🟡 moderate launch-editor (<=2.14.0) — launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows advisory
  • 🟡 moderate lodash (<=4.17.23) — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit advisory
  • 🟡 moderate lodash-es (<=4.17.23) — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit advisory
  • 🟡 moderate lodash-es (>=4.0.0 <=4.17.22) — Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions advisory
  • 🟡 moderate lodash.get (4.4.2) — This package is deprecated. Use the optional chaining (?.) operator instead.
  • 🟡 moderate lodash.isequal (4.5.0) — This package is deprecated. Use require('node:util').isDeepStrictEqual instead.
  • 🟡 moderate markdown-it (>=13.0.0 <14.1.1) — markdown-it is has a Regular Expression Denial of Service (ReDoS) advisory
  • 🟡 moderate markdown-it (<=14.1.1) — markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations advisory
  • 🟡 moderate nanoid (<3.3.8) — Predictable results in nanoid generation when given non-integer values advisory
  • 🟡 moderate node-domexception (1.0.0) — Use your platform's native DOMException instead
  • 🟡 moderate path-to-regexp (>=8.0.0 <8.4.0) — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards advisory
  • 🟡 moderate picomatch (<2.3.2) — Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching advisory
  • 🟡 moderate picomatch (>=4.0.0 <4.0.4) — Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching advisory
  • 🟡 moderate postcss (<8.5.10) — PostCSS has XSS via Unescaped </style> in its CSS Stringify Output advisory
  • 🟡 moderate prebuild-install (7.1.3) — No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
  • 🟡 moderate prismjs (<1.30.0) — PrismJS DOM Clobbering vulnerability advisory
  • 🟡 moderate qs (<6.14.1) — qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion advisory
  • 🟡 moderate qs (>=6.11.1 <=6.15.1) — qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set advisory
  • 🟡 moderate react-beautiful-dnd (13.1.1) — react-beautiful-dnd is now deprecated. Context and options: react-beautiful-dnd is now deprecated atlassian/react-beautiful-dnd#2672
  • 🟡 moderate request (<=2.88.2) — Server-Side Request Forgery in Request advisory
  • 🟡 moderate rimraf (3.0.2) — Rimraf versions prior to v4 are no longer supported
  • 🟡 moderate stable (0.1.8) — Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
  • 🟡 moderate tough-cookie (<4.1.3) — tough-cookie Prototype Pollution vulnerability advisory
  • 🟡 moderate uuid (<11.1.1) — uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided advisory
  • 🟡 moderate webpack-dev-server (<=5.2.3) — webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins advisory
  • 🟡 moderate webpack-dev-server (<5.2.5) — webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies advisory
  • 🟡 moderate yaml (>=1.0.0 <1.10.3) — yaml is vulnerable to Stack Overflow via deeply nested YAML collections advisory
  • 🟡 moderate yaml (>=2.0.0 <2.8.3) — yaml is vulnerable to Stack Overflow via deeply nested YAML collections advisory
  • 🔵 low @babel/core (<=7.29.0) — @babel/core: Arbitrary File Read via sourceMappingURL Comment advisory
  • 🔵 low @backstage/backend-defaults (<0.12.2) — Backstage has a Possible SSRF when reading from allowed URL's in backend.reading.allow advisory
  • 🔵 low @backstage/integration (<=1.20.0) — Backstage vulnerable to potential reading of SCM URLs using built in token advisory
  • 🔵 low @smithy/config-resolver (<4.4.0) — AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value advisory
  • 🔵 low @tootallnate/once (<2.0.1) — @tootallnate/once vulnerable to Incorrect Control Flow Scoping advisory
  • 🔵 low brace-expansion (>=1.0.0 <=1.1.11) — brace-expansion Regular Expression Denial of Service vulnerability advisory
  • 🔵 low brace-expansion (>=2.0.0 <=2.0.1) — brace-expansion Regular Expression Denial of Service vulnerability advisory
  • 🔵 low cookie (<0.7.0) — cookie accepts cookie name, path, and domain with out of bounds characters advisory
  • 🔵 low diff (>=4.0.0 <4.0.4) — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch advisory
  • 🔵 low diff (>=5.0.0 <5.2.2) — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch advisory
  • 🔵 low dompurify (<=3.4.6) — DOMPurify: IN_PLACE mode trusts attacker-controlled nodeName on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects advisory
  • 🔵 low dompurify (<3.4.9) — DOMPurify: Trusted Types policy survives clearConfig() and can poison later RETURN_TRUSTED_TYPE output advisory
  • 🔵 low dompurify (>=3.0.0 <=3.4.7) — DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside content when using DOM output modes advisory
  • 🔵 low elliptic (<6.6.0) — Valid ECDSA signatures erroneously rejected in Elliptic advisory
  • 🔵 low elliptic (<=6.6.1) — Elliptic Uses a Cryptographic Primitive with a Risky Implementation advisory
  • 🔵 low esbuild (>=0.27.3 <0.28.1) — esbuild allows arbitrary file read when running the development server on Windows advisory
  • 🔵 low handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has a Property Access Validation Bypass in container.lookup advisory
  • 🔵 low hono (<4.12.18) — Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() advisory
  • 🔵 low on-headers (<1.1.0) — on-headers is vulnerable to http response header manipulation advisory
  • 🔵 low tmp (<=0.2.3) — tmp allows arbitrary temporary file / directory write via symbolic link dir parameter advisory

@renovate renovate Bot merged commit c147247 into main Jul 8, 2026
11 of 12 checks passed
@renovate renovate Bot deleted the renovate/protobufjs-8.x branch July 8, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies renovate This is an automated PR by RenovateBot

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant