chore: upgrade protobufjs to ^7.6.2 by brendan-kellam · Pull Request #1281 · sourcebot-dev/sourcebot

brendan-kellam · 2026-06-05T00:32:14Z

Fixes SOU-1115
Fixes SOU-1116
Fixes SOU-1117
Fixes SOU-1118
Fixes SOU-1119
Fixes SOU-1120
Fixes SOU-1282
Fixes SOU-1283

Refreshes the lockfile to bump the transitive protobufjs dependency from 7.5.4 to 7.6.2. Every requester range already allowed this version (^7.x), so only yarn.lock changed (no package.json / resolutions edit). This clears the open protobufjs CVE cluster reported by Trivy/Dependabot:

CVE-2026-41242 — arbitrary code execution via injected type fields
CVE-2026-44289 — unbounded recursion DoS
CVE-2026-44290 — unsafe option path traversal
CVE-2026-44291 — codegen gadget post prototype-pollution
CVE-2026-44292 — per-instance prototype injection
CVE-2026-44293 — bytes-field code injection
CVE-2026-44294 — control-char codegen DoS
CVE-2026-45740 — recursive JSON descriptor DoS

Also includes a docs commit updating the CVE-fix CHANGELOG convention in CLAUDE.md (CHANGELOG entries no longer enumerate CVE IDs).

🤖 Generated with Claude Code

Summary by CodeRabbit

Bug Fixes
- Upgraded protobufjs to ^7.6.2 to address security vulnerabilities.
Documentation
- Clarified CVE/upgrade workflow: guidance for batching related fixes and handling sibling PRs.
- Tightened CHANGELOG and PR conventions for CVE fixes, including required changelog entry format and one-line-per-PR rules.

coderabbitai · 2026-06-05T00:32:55Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 07f92e02-ef77-4743-8e60-9c276e38ce80

📥 Commits

Reviewing files that changed from the base of the PR and between 9f85873 and 2ab27cb.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

CHANGELOG.md
CLAUDE.md

✅ Files skipped from review due to trivial changes (2)

CHANGELOG.md
CLAUDE.md

Walkthrough

PR #1281 adds a Fixed line to CHANGELOG documenting an upgrade of protobufjs to ^7.6.2 and updates CLAUDE.md to clarify CVE batching rules and mandate a specific CHANGELOG entry format that excludes CVE IDs.

Changes

Security fix and CVE process

Layer / File(s)	Summary
Protobufjs CHANGELOG entry `CHANGELOG.md`	Added a new bullet under [Unreleased] → Fixed documenting the `protobufjs` upgrade to `^7.6.2`, referenced to PR `#1281`.
CVE batching and CHANGELOG conventions `CLAUDE.md`	Clarifies that when a sibling PR already pins a sufficient patched version, the existing CHANGELOG line stays unchanged; if the sibling's pin is too low, update that CHANGELOG line and the PR metadata. Mandates a single-line `[Unreleased] → Fixed` format that excludes CVE IDs and keeps CVE IDs in PR title/body.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: upgrade protobufjs to ^7.6.2' accurately and concisely describes the main change in the PR, which is upgrading the protobufjs dependency to version 7.6.2 to address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch cursor/cve/protobufjs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

…26-44289, CVE-2026-44290, CVE-2026-44291, CVE-2026-44292, CVE-2026-44293, CVE-2026-44294, CVE-2026-45740 Refresh yarn.lock to bump transitive protobufjs from 7.5.4 to 7.6.2. All requester ranges already allowed this version (^7.x), so only the lockfile changed. Clears the open protobufjs CVE cluster (SOU-1115-1120, SOU-1282, SOU-1283). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CHANGELOG entries for CVE upgrades now read "to address security vulnerabilities" instead of enumerating CVE IDs. CVE IDs remain in the PR title and body. Updated the batching rules to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

coderabbitai

Actionable comments posted: 1

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d6edeaa4-2f1a-4a73-a2f2-74ad689a2c9f

📥 Commits

Reviewing files that changed from the base of the PR and between 2ad06aa and 9f85873.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

CHANGELOG.md
CLAUDE.md

github-actions · 2026-06-05T00:39:28Z

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2133
Resolved (non-standard)	21
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.0.5	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-ppc64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-riscv64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-wasm32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-wasm32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-win32-arm64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
axe-core	4.10.3	`MPL-2.0`
lightningcss	1.32.0	`MPL-2.0`
lightningcss-android-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-x64	1.32.0	`MPL-2.0`
lightningcss-freebsd-x64	1.32.0	`MPL-2.0`
lightningcss-linux-arm-gnueabihf	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-musl	1.32.0	`MPL-2.0`
lightningcss-linux-x64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-x64-musl	1.32.0	`MPL-2.0`
lightningcss-win32-arm64-msvc	1.32.0	`MPL-2.0`
lightningcss-win32-x64-msvc	1.32.0	`MPL-2.0`

Resolved Packages (21)

Package	Version	Original	Resolved	Source
@posthog/ai	7.18.7	`UNKNOWN`	`MIT`	package.json license field (node_modules) — declared MIT; bundled LICENSE text is Apache-2.0
@react-grab/cli	0.1.23	`UNKNOWN`	`MIT`	LICENSE file (node_modules)
@react-grab/cli	0.1.29	`UNKNOWN`	`MIT`	LICENSE file (node_modules)
@react-grab/mcp	0.1.29	`UNKNOWN`	`MIT`	LICENSE file (node_modules)
@sentry/cli	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field + LICENSE file (node_modules)
@sentry/cli-darwin	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-linux-arm	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-linux-arm64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-linux-i686	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-linux-x64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-win32-arm64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-win32-i686	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
@sentry/cli-win32-x64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	package.json license field (node_modules)
codemirror-lang-elixir	4.0.0	`UNKNOWN`	`Apache-2.0`	LICENSE file (node_modules)
element-source	0.0.3	`UNKNOWN`	`MIT`	LICENSE file (node_modules)
lezer-elixir	1.1.2	`UNKNOWN`	`Apache-2.0`	LICENSE file (node_modules)
map-stream	0.1.0	`UNKNOWN`	`MIT`	LICENCE file (node_modules)
memorystream	0.3.1	`UNKNOWN`	`MIT`	extracted from license object {type:'MIT'} + LICENSE file (node_modules)
pause-stream	0.0.11	`MIT,Apache2`	`(MIT OR Apache-2.0)`	extracted from license array ['MIT','Apache2'] + LICENSE file (node_modules)
posthog-js	1.369.0	`SEE LICENSE IN LICENSE`	`Apache-2.0`	LICENSE file (node_modules)
valid-url	1.0.9	`UNKNOWN`	`MIT`	LICENSE file (node_modules)

brendan-kellam force-pushed the cursor/cve/protobufjs branch from a22dcc9 to 9f85873 Compare June 5, 2026 00:32

brendan-kellam changed the title ~~chore: upgrade protobufjs to ^7.6.2 to address CVE-2026-41242, CVE-2026-44289, CVE-2026-44290, CVE-2026-44291, CVE-2026-44292, CVE-2026-44293, CVE-2026-44294, CVE-2026-45740~~ chore: upgrade protobufjs to ^7.6.2 Jun 5, 2026

brendan-kellam and others added 2 commits June 4, 2026 17:35

brendan-kellam force-pushed the cursor/cve/protobufjs branch from 9f85873 to 2ab27cb Compare June 5, 2026 00:36

coderabbitai Bot reviewed Jun 5, 2026

View reviewed changes

Comment thread CLAUDE.md Outdated

brendan-kellam merged commit 4c9dfe0 into main Jun 5, 2026
12 checks passed

brendan-kellam deleted the cursor/cve/protobufjs branch June 5, 2026 00:43

github-actions Bot mentioned this pull request Jun 5, 2026

Sourcebot Roadmap 🚀 #459

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: upgrade protobufjs to ^7.6.2#1281

chore: upgrade protobufjs to ^7.6.2#1281
brendan-kellam merged 2 commits into
mainfrom
cursor/cve/protobufjs

brendan-kellam commented Jun 5, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Jun 5, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

github-actions Bot commented Jun 5, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

brendan-kellam commented Jun 5, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jun 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

github-actions Bot commented Jun 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

License Audit

Weak Copyleft Packages (informational)

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

brendan-kellam commented Jun 5, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 5, 2026 •

edited

Loading

github-actions Bot commented Jun 5, 2026 •

edited

Loading