chore(deps): update protobufjs to v8#62
Conversation
3c90cd9 to
99e2737
Compare
99e2737 to
3ecc9c6
Compare
📝 WalkthroughWalkthroughUpdated the ChangesDependency Version Update
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@typescript/package.json`:
- Line 22: Update the protobufjs dependency requirement in the package.json
manifest from the current 8.0.0 range to a patched minimum of ^8.0.1. This
change should be made in the dependency entry named protobufjs so installs no
longer allow the vulnerable 8.0.0 release.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: ded1bd48-8890-405c-9105-d251dc362b48
📒 Files selected for processing (1)
typescript/package.json
| "dependencies": { | ||
| "fast-xml-parser": "^5.5.10", | ||
| "protobufjs": "^7.4.0", | ||
| "protobufjs": "^8.0.0", |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the resolved protobufjs version in the lockfile
fd -a 'package-lock.json|pnpm-lock.yaml|yarn.lock' typescript | xargs -I{} sh -c 'echo "--- {} ---"; rg -n -A2 "\"protobufjs\"|^protobufjs@" {}'Repository: meshtastic/TAKPacket-SDK
Length of output: 162
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== typescript files =="
git ls-files 'typescript/**' | sed -n '1,200p'
echo
echo "== package.json snippet =="
nl -ba typescript/package.json | sed -n '1,80p'
echo
echo "== potential lockfiles =="
git ls-files 'typescript/**' | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || trueRepository: meshtastic/TAKPacket-SDK
Length of output: 1056
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== typescript/package.json =="
cat -n typescript/package.json | sed -n '1,120p'
echo
echo "== lockfiles in repository =="
git ls-files | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true
echo
echo "== protobufjs mentions in any lockfile =="
for f in $(git ls-files | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true); do
echo "--- $f ---"
rg -n -A2 -B2 'protobufjs' "$f" || true
doneRepository: meshtastic/TAKPacket-SDK
Length of output: 1512
🌐 Web query:
protobufjs 8.0.0 vulnerability CVE-2026-41242 8.0.1 7.5.5
💡 Result:
CVE-2026-41242 is a critical arbitrary code execution vulnerability affecting protobufjs [1][2]. It stems from the library's handling of protobuf definitions where attacker-controlled input in the "type" fields could be used to inject and execute arbitrary JavaScript code via the Function constructor during object decoding [3][2][4]. Affected and Patched Versions: - Versions prior to 7.5.5 are affected [3][2]. - Version 8.0.0 is affected [3][4]. - Patched versions are 7.5.5 and 8.0.1 (or higher) [3][2][4]. Users are advised to upgrade to version 7.5.5 or 8.0.1 immediately [2][5]. If an upgrade is not immediately feasible, it is recommended to avoid loading protobuf definitions or JSON descriptors from untrusted sources, or to validate and restrict them in an isolated environment before loading [3][5]. Note that subsequent security advisories in May 2026 (such as GHSA-66ff-xgx4-vchm, GHSA-75px-5xx7-5xc7, and GHSA-fx83-v9x8-x52w) identified additional vulnerabilities related to code injection and prototype pollution that were patched in versions 7.5.6 and 8.0.2 [6][7][8]. Consequently, users should ideally upgrade to the latest stable versions beyond 7.5.6 and 8.0.2 to ensure comprehensive protection [9][6][7][8].
Citations:
- 1: https://www.cve.org/CVERecord?id=CVE-2026-41242
- 2: https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-041/
- 3: GHSA-xq3m-2v4x-88gg
- 4: https://security.snyk.io/vuln/SNYK-JS-PROTOBUFJS-16094665
- 5: https://app.opencve.io/cve/CVE-2026-41242
- 6: GHSA-66ff-xgx4-vchm
- 7: GHSA-75px-5xx7-5xc7
- 8: GHSA-fx83-v9x8-x52w
- 9: https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.5.7/CHANGELOG.md
Bump protobufjs to ^8.0.1.
^8.0.0 still includes the vulnerable 8.0.0 release (CVE-2026-41242); raise the minimum to a patched version.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@typescript/package.json` at line 22, Update the protobufjs dependency
requirement in the package.json manifest from the current 8.0.0 range to a
patched minimum of ^8.0.1. This change should be made in the dependency entry
named protobufjs so installs no longer allow the vulnerable 8.0.0 release.
3ecc9c6 to
c079c00
Compare
This PR contains the following updates:
^7.4.0→^8.0.0Release Notes
protobufjs/protobuf.js (protobufjs)
v8.7.0Compare Source
Features
Bug Fixes
v8.6.6Compare Source
Bug Fixes
v8.6.5Compare Source
Bug Fixes
v8.6.4Compare Source
Bug Fixes
v8.6.3Compare Source
Bug Fixes
v8.6.2Compare Source
Bug Fixes
v8.6.1Compare Source
Bug Fixes
v8.6.0Compare Source
Features
Bug Fixes
v8.5.0Compare Source
Features
Bug Fixes
v8.4.2Compare Source
Bug Fixes
v8.4.1Compare Source
Bug Fixes
v8.4.0Compare Source
Features
v8.3.0Compare Source
Features
v8.2.1Compare Source
Bug Fixes
Performance Improvements
v8.2.0Compare Source
Features
Bug Fixes
Performance Improvements
v8.0.3Compare Source
Bug Fixes
v8.0.2Compare Source
Bug Fixes
[@exports](https://redirect.github.com/exports)for enums (#1824) (eb256f0)v8.0.1Compare Source
Bug Fixes
v8.0.0Compare Source
⚠ BREAKING CHANGES
Features
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.