Skip to content

fix: override protobufjs to patch CVE GHSA-jvwf-75h9-cwgg#121

Merged
MathurAditya724 merged 2 commits into
mainfrom
fix-protobufjs-cve
May 13, 2026
Merged

fix: override protobufjs to patch CVE GHSA-jvwf-75h9-cwgg#121
MathurAditya724 merged 2 commits into
mainfrom
fix-protobufjs-cve

Conversation

@MathurAditya724
Copy link
Copy Markdown
Contributor

@MathurAditya724 MathurAditya724 commented May 13, 2026

Summary

  • Adds a pnpm.overrides entry to force protobufjs to >=7.5.6, resolving GHSA-jvwf-75h9-cwgg (high severity — process-wide DoS through unsafe option paths)
  • The vulnerable protobufjs@7.4.0 was a transitive dependency via @atproto/bskyetcd3@grpc/proto-loader; resolved to 8.2.0

Closes https://github.com/tsky-dev/tsky/security/dependabot/135

@MathurAditya724
fix: override protobufjs to >=7.5.6 to resolve CVE (GHSA-jvwf-75h9-cwgg)
354ca18 
protobufjs <7.5.6 is vulnerable to process-wide denial of service
through unsafe option paths. The vulnerable version (7.4.0) was pulled
in transitively via @atproto/bsky -> etcd3 -> @grpc/proto-loader.

Added a pnpm override to force protobufjs >=7.5.6 (resolved to 8.2.0).
@netlify
Copy link
Copy Markdown

netlify Bot commented May 13, 2026
edited
Loading

Deploy Preview for tsky ready!

Name Link
🔨 Latest commit 3ffaffd
🔍 Latest deploy log https://app.netlify.com/projects/tsky/deploys/6a042ede0a5b9c0008e42cae
😎 Deploy Preview https://deploy-preview-121--tsky.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026
edited
Loading

Coverage Report for ./packages/client/

Status Category Percentage Covered / Total
🔵 Lines 13.64% 52 / 381
🔵 Statements 13.13% 52 / 396
🔵 Functions 9.6% 17 / 177
🔵 Branches 14.45% 12 / 83
File CoverageNo changed files found.
Generated in workflow #293 for commit 3ffaffd by the Vitest Coverage Report Action

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 13, 2026
edited
Loading

Open in StackBlitz

pnpm add https://pkg.pr.new/@tsky/client@121

commit: 3ffaffd

@MathurAditya724
Copy link
Copy Markdown
Contributor Author

MathurAditya724 commented May 13, 2026

fix-ci: attempt 1 — the biome format check fails on generated files under packages/lexicons/lexicons/lexicon-resolver/. These are generated during pnpm install (via the prepare script) and gitignored, but biome still picks them up. This is a pre-existing issue on main (no code-gen files differ between branches). Adding the path to biome's ignore list.

@MathurAditya724
Copy link
Copy Markdown
Contributor Author

MathurAditya724 commented May 13, 2026
edited
Loading

fix-ci: attempt 1 — the failing run was on 354ca18 (before the biome ignore fix). commit 3ffaffd already added packages/lexicons/lexicons/ to biome's ignore list, and CI is now green on the latest push. no further action needed.

@MathurAditya724 MathurAditya724 merged commit b896fbc into main May 13, 2026
9 checks passed
@MathurAditya724 MathurAditya724 deleted the fix-protobufjs-cve branch May 13, 2026 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MathurAditya724