Skip to content

fix(deps): bump protobufjs to 7.5.5 for GHSA-xq3m-2v4x-88gg#2395

Merged
malinskibeniamin merged 1 commit intomasterfrom
bm/fix-protobufjs-ghsa-xq3m
Apr 21, 2026
Merged

fix(deps): bump protobufjs to 7.5.5 for GHSA-xq3m-2v4x-88gg#2395
malinskibeniamin merged 1 commit intomasterfrom
bm/fix-protobufjs-ghsa-xq3m

Conversation

@malinskibeniamin
Copy link
Copy Markdown
Contributor

@malinskibeniamin malinskibeniamin commented Apr 20, 2026

Summary

  • GHSA-xq3m-2v4x-88gg: protobufjs ≤7.5.4 / ≤8.0.0 generates JS functions by concatenating schema-derived identifiers and executing them via Function() without validation → RCE when processing untrusted schemas.
  • Console has no direct protobufjs dependency, but a transitive 7.5.4 was present in frontend/bun.lock and frontend/yarn.lock.
  • Pin protobufjs: ^7.5.5 in both overrides and resolutions of frontend/package.json to kill the finding.

Test plan

  • bun i + bun i --yarn produce clean lockfiles; every protobufjs reference resolves to 7.5.5.
  • CI green.

🤖 Generated with Claude Code

@malinskibeniamin @claude
fix(deps): bump protobufjs to 7.5.5 for GHSA-xq3m-2v4x-88gg
062a9de 
Advisory: code injection in protobufjs <=7.5.4 / <=8.0.0 via unsanitized
schema-derived identifiers in generated functions. Console has no direct
protobufjs dependency, but a transitive 7.5.4 was present via the lockfile.
Pin it to ^7.5.5 in both overrides and resolutions to kill the finding.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@malinskibeniamin
Copy link
Copy Markdown
Contributor Author

malinskibeniamin commented Apr 20, 2026

@claude review

@malinskibeniamin malinskibeniamin self-assigned this Apr 20, 2026
@claude
Copy link
Copy Markdown

claude Bot commented Apr 20, 2026
edited
Loading

Claude finished @malinskibeniamin's task in 1m 10s —— View job

PR Review

  • Read CLAUDE.md for repo guidelines
  • Review changed files
  • Analyze security fix correctness
  • Post review feedback

Summary: This PR pins protobufjs to ^7.5.5 to remediate GHSA-xq3m-2v4x-88gg (RCE via unsanitized Function() call in schema processing). Clean, minimal, and correct.

Security Fix Correctness

The approach is right: since protobufjs is a transitive dependency (pulled in by dockerode@4.0.9 via @grpc/proto-loader), pinning via package manager overrides/resolutions is the correct mechanism.

frontend/package.json:

  • overrides (used by npm/bun): "protobufjs": "^7.5.5"
  • resolutions (used by yarn): "protobufjs": "^7.5.5"
  • Follows the exact same pattern as other security overrides already in this file (elliptic, dompurify, ajv, etc.)

frontend/bun.lock:

  • Single protobufjs entry resolves to 7.5.5
  • Override field at the top of the lockfile confirms "protobufjs": "^7.5.5"

frontend/yarn.lock:

  • All requested ranges (^7.2.5, ^7.3.2, ^7.5.3) collapse to a single 7.5.5 entry with correct integrity hash ✅
  • No stale vulnerable versions remain in either lockfile ✅

Minor Notes

  1. ^7.5.5 semver range: Using ^7.5.5 (rather than an exact pin or >=7.5.5) is appropriate here — it allows future 7.x.x patch/minor updates but will never downgrade below the fixed version. Good call.

  2. overrides vs resolutions parity: There are some pre-existing divergences between these two sections (e.g., elliptic and yaml appear in overrides but not resolutions). This PR correctly adds protobufjs to both, which is the right pattern for dual bun/yarn support.

  3. Scope of transitive consumers: dockerode (dev dep, used by testcontainers) requests protobufjs@^7.3.2 and @grpc/proto-loader requests ^7.5.3 — both satisfied by 7.5.5. No compatibility issues.

Verdict

LGTM — correct, minimal fix with no functional changes. CI green would confirm the lockfiles are consistent.

@malinskibeniamin malinskibeniamin added frontend security Pull requests that address a security vulnerability ai-jam AI Jam April 2026 related work labels Apr 20, 2026
@malinskibeniamin malinskibeniamin enabled auto-merge (squash) April 20, 2026 23:14
@malinskibeniamin malinskibeniamin requested review from a team, Mateoc, SpicyPete, datamali and sago2k8 and removed request for a team April 20, 2026 23:29
@malinskibeniamin malinskibeniamin merged commit 0b5b1db into master Apr 21, 2026
17 checks passed
@malinskibeniamin malinskibeniamin deleted the bm/fix-protobufjs-ghsa-xq3m branch April 21, 2026 11:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c-julin c-julin c-julin approved these changes

@SpicyPete SpicyPete Awaiting requested review from SpicyPete SpicyPete was automatically assigned from redpanda-data/ux-ui

@Mateoc Mateoc Awaiting requested review from Mateoc Mateoc was automatically assigned from redpanda-data/ux-ui

@sago2k8 sago2k8 Awaiting requested review from sago2k8 sago2k8 was automatically assigned from redpanda-data/ux-ui

@datamali datamali Awaiting requested review from datamali datamali was automatically assigned from redpanda-data/ux-ui

Assignees

@malinskibeniamin malinskibeniamin

Labels

ai-jam AI Jam April 2026 related work frontend security Pull requests that address a security vulnerability team/ux ui/ux

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@malinskibeniamin @c-julin