From 354ca1804b7ceeec21eaf1e9dcd4b115c7615d9c Mon Sep 17 00:00:00 2001 From: Aditya Mathur <57684218+MathurAditya724@users.noreply.github.com> Date: Wed, 13 May 2026 07:51:15 +0000 Subject: [PATCH 1/2] fix: override protobufjs to >=7.5.6 to resolve CVE (GHSA-jvwf-75h9-cwgg) protobufjs <7.5.6 is vulnerable to process-wide denial of service through unsafe option paths. The vulnerable version (7.4.0) was pulled in transitively via @atproto/bsky -> etcd3 -> @grpc/proto-loader. Added a pnpm override to force protobufjs >=7.5.6 (resolved to 8.2.0). --- package.json | 5 ++++ pnpm-lock.yaml | 76 ++++++-------------------------------------------- 2 files changed, 13 insertions(+), 68 deletions(-) diff --git a/package.json b/package.json index f0a988b..161349b 100644 --- a/package.json +++ b/package.json @@ -34,5 +34,10 @@ "*.{js,ts,cjs,mjs,json}": [ "biome check --write --" ] + }, + "pnpm": { + "overrides": { + "protobufjs": ">=7.5.6" + } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6ab00ad..4375ad9 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -10,6 +10,9 @@ catalogs: specifier: ^5.7.2 version: 5.7.2 +overrides: + protobufjs: '>=7.5.6' + importers: .: @@ -1503,36 +1506,6 @@ packages: resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} engines: {node: '>=14'} - '@protobufjs/aspromise@1.1.2': - resolution: {integrity: sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==} - - '@protobufjs/base64@1.1.2': - resolution: {integrity: sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==} - - '@protobufjs/codegen@2.0.4': - resolution: {integrity: sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==} - - '@protobufjs/eventemitter@1.1.0': - resolution: {integrity: sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==} - - '@protobufjs/fetch@1.1.0': - resolution: {integrity: sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==} - - '@protobufjs/float@1.0.2': - resolution: {integrity: sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==} - - '@protobufjs/inquire@1.1.0': - resolution: {integrity: sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==} - - '@protobufjs/path@1.1.2': - resolution: {integrity: sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==} - - '@protobufjs/pool@1.1.0': - resolution: {integrity: sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==} - - '@protobufjs/utf8@1.1.0': - resolution: {integrity: sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==} - '@rollup/plugin-alias@5.1.1': resolution: {integrity: sha512-PR9zDb+rOzkRb2VD+EuKB7UC41vU5DIwZ5qqCpk0KJudcWAyi8rvYOhS7+L5aZCspw1stTViLgN5v6FF1p5cgQ==} engines: {node: '>=14.0.0'} @@ -3796,8 +3769,8 @@ packages: property-information@6.5.0: resolution: {integrity: sha512-PgTgs/BlvHxOu8QuEN7wi5A0OmXaBcHpmCSTehcs6Uuu9IkDIEo13Hy7n898RHfrQ49vKCoGeWZSaAK01nwVig==} - protobufjs@7.4.0: - resolution: {integrity: sha512-mRUWCc3KUU4w1jU8sGxICXH/gNS94DvI1gxqDvBzhj1JpcsimQkYiOJfwsPUykUI5ZaspFbSgmBLER8IrQ3tqw==} + protobufjs@8.2.0: + resolution: {integrity: sha512-oI+GC9iPxrQEr6wragljFKH46/r3rNsm6eg7F2fp6kBUMnf6/mesDRdBuF4gK+OyaKJ8N4C1B9s9cCeYdqFikg==} engines: {node: '>=12.0.0'} proxy-addr@2.0.7: @@ -6174,7 +6147,7 @@ snapshots: dependencies: lodash.camelcase: 4.3.0 long: 5.3.1 - protobufjs: 7.4.0 + protobufjs: 8.2.0 yargs: 17.7.2 '@hapi/accept@6.0.3': @@ -6362,29 +6335,6 @@ snapshots: '@pkgjs/parseargs@0.11.0': optional: true - '@protobufjs/aspromise@1.1.2': {} - - '@protobufjs/base64@1.1.2': {} - - '@protobufjs/codegen@2.0.4': {} - - '@protobufjs/eventemitter@1.1.0': {} - - '@protobufjs/fetch@1.1.0': - dependencies: - '@protobufjs/aspromise': 1.1.2 - '@protobufjs/inquire': 1.1.0 - - '@protobufjs/float@1.0.2': {} - - '@protobufjs/inquire@1.1.0': {} - - '@protobufjs/path@1.1.2': {} - - '@protobufjs/pool@1.1.0': {} - - '@protobufjs/utf8@1.1.0': {} - '@rollup/plugin-alias@5.1.1(rollup@4.27.4)': optionalDependencies: rollup: 4.27.4 @@ -8821,18 +8771,8 @@ snapshots: property-information@6.5.0: {} - protobufjs@7.4.0: - dependencies: - '@protobufjs/aspromise': 1.1.2 - '@protobufjs/base64': 1.1.2 - '@protobufjs/codegen': 2.0.4 - '@protobufjs/eventemitter': 1.1.0 - '@protobufjs/fetch': 1.1.0 - '@protobufjs/float': 1.0.2 - '@protobufjs/inquire': 1.1.0 - '@protobufjs/path': 1.1.2 - '@protobufjs/pool': 1.1.0 - '@protobufjs/utf8': 1.1.0 + protobufjs@8.2.0: + dependencies: '@types/node': 22.13.10 long: 5.3.1 From 3ffaffda4765c1e97fd72f388693a9f9ae7ff652 Mon Sep 17 00:00:00 2001 From: Aditya Mathur <57684218+MathurAditya724@users.noreply.github.com> Date: Wed, 13 May 2026 07:57:14 +0000 Subject: [PATCH 2/2] fix: ignore generated lexicon files in biome format check --- biome.json | 1 + 1 file changed, 1 insertion(+) diff --git a/biome.json b/biome.json index 2990d82..38a394a 100644 --- a/biome.json +++ b/biome.json @@ -18,6 +18,7 @@ "package.json", "tsconfig.json", "packages/lexicons/src/lib/lexicons.ts", + "packages/lexicons/lexicons/", "docs/api/" ] },