Skip to content

fix(deps): bump protobufjs to >=8.0.2 for 4 high severity CVEs#462

Merged
sergioestebance merged 1 commit into
mainfrom
fix/deps-bump-protobufjs-to-8.0.2
May 13, 2026
Merged

fix(deps): bump protobufjs to >=8.0.2 for 4 high severity CVEs#462
sergioestebance merged 1 commit into
mainfrom
fix/deps-bump-protobufjs-to-8.0.2

Conversation

@sergioestebance

Copy link
Copy Markdown
Contributor

Summary

  • Bumps the protobufjs pnpm override from 8.0.1 to 8.0.2 to fix 4 high severity CVEs in the v8 series
  • The previous override (protobufjs@>=8.0.0 <8.0.1 → 8.0.1, from PR fix(security): patch critical CVEs in protobufjs and handlebars #390) is itself now vulnerable — these are newly published advisories affecting 8.0.1
  • Override range widened to protobufjs@>=8.0.0 <8.0.2 → 8.0.2 so any transitive resolution in that range is caught

CVEs addressed

Alert GHSA Summary
#365 GHSA-685m-2w69-288q DoS through unbounded protobuf recursion
#366 GHSA-jvwf-75h9-cwgg DoS through unsafe option paths
#367 GHSA-75px-5xx7-5xc7 Code generation gadget after prototype pollution
#369 GHSA-66ff-xgx4-vchm Code injection through bytes field defaults

Why pnpm overrides

protobufjs is a transitive dependency (via @grpc/proto-loader, @opentelemetry/otlp-transformer). We can't bump the direct parents to pull in the fix, so the pnpm override is the correct mechanism — it persists in package.json and will enforce the minimum safe version even after lockfile regeneration.

Closes Dependabot alerts #365, #366, #367, #369

Test plan

  • pnpm install succeeds
  • Lockfile resolves protobufjs@8.0.2
  • CI passes

Update pnpm override from 8.0.1 to 8.0.2 to address:
- GHSA-685m-2w69-288q: DoS through unbounded protobuf recursion
- GHSA-jvwf-75h9-cwgg: DoS through unsafe option paths
- GHSA-75px-5xx7-5xc7: code generation gadget after prototype pollution
- GHSA-66ff-xgx4-vchm: code injection through bytes field defaults

Closes #365, #366, #367, #369
@github-actions

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

The change updates a transitive third‑party dependency (protobufjs) via pnpm overrides and modifies the lockfile to move from 8.0.1 to 8.0.2. Dependency updates affect external library behavior/integrations and are not listed as an allowed low‑risk change, so this PR should not be auto‑labeled low-risk.

This PR requires a manual review before merging.

@sergioestebance sergioestebance self-assigned this May 13, 2026
@sergioestebance sergioestebance added the dependencies Pull requests that update a dependency file label May 13, 2026
@sergioestebance sergioestebance merged commit e2c0499 into main May 13, 2026
9 of 11 checks passed
@sergioestebance sergioestebance deleted the fix/deps-bump-protobufjs-to-8.0.2 branch May 13, 2026 08:28
langwatch-agent pushed a commit that referenced this pull request Jul 2, 2026
Clears HIGH alert #462 (starlette < 1.3.1) in python/uv.lock, alongside the
cryptography and python-multipart floors already in this PR. starlette is
transitive via fastapi (>=0.110, no cap); surgical uv upgrade, 1.2.1 -> 1.3.1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants