Skip to content

chore(deps): update protobufjs to v8#62

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/protobufjs-8.x
Open

chore(deps): update protobufjs to v8#62
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/protobufjs-8.x

Conversation

@renovate

@renovate renovate Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
protobufjs ^7.4.0^8.0.0 age confidence

Release Notes

protobufjs/protobuf.js (protobufjs)

v8.7.0

Compare Source

Features
  • Rework encoder architecture and add additional fast paths (#​2359) (e912baf)
Bug Fixes
  • Preserve parsed json_name in field options (#​2363) (1cdd91e)
  • Reject truncated declarations without TypeError (#​2358) (5995f2a)
  • Resolve feature defaults before lazy codegen (d59d100)

v8.6.6

Compare Source

Bug Fixes

v8.6.5

Compare Source

Bug Fixes

v8.6.4

Compare Source

Bug Fixes

v8.6.3

Compare Source

Bug Fixes

v8.6.2

Compare Source

Bug Fixes

v8.6.1

Compare Source

Bug Fixes

v8.6.0

Compare Source

Features
Bug Fixes

v8.5.0

Compare Source

Features
Bug Fixes

v8.4.2

Compare Source

Bug Fixes

v8.4.1

Compare Source

Bug Fixes

v8.4.0

Compare Source

Features

v8.3.0

Compare Source

Features

v8.2.1

Compare Source

Bug Fixes
Performance Improvements

v8.2.0

Compare Source

Features
Bug Fixes
Performance Improvements

v8.0.3

Compare Source

Bug Fixes

v8.0.2

Compare Source

Bug Fixes

v8.0.1

Compare Source

Bug Fixes

v8.0.0

Compare Source

⚠ BREAKING CHANGES
Features

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 17, 2026
@renovate renovate Bot force-pushed the renovate/protobufjs-8.x branch from 3c90cd9 to 99e2737 Compare June 23, 2026 16:53
@renovate renovate Bot force-pushed the renovate/protobufjs-8.x branch from 99e2737 to 3ecc9c6 Compare July 4, 2026 04:56
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Updated the protobufjs dependency constraint in typescript/package.json from ^7.4.0 to ^8.0.0.

Changes

Dependency Version Update

Layer / File(s) Summary
protobufjs version bump
typescript/package.json
Updated the protobufjs dependency constraint from ^7.4.0 to ^8.0.0.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related issues

Possibly related PRs

Poem

A tiny hop, a version leap,
From seven to eight, the bunniesీప.
One package line now sings anew,
With carrots bright and skies of blue.
🐇🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the dependency update from protobufjs v7 to v8.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@typescript/package.json`:
- Line 22: Update the protobufjs dependency requirement in the package.json
manifest from the current 8.0.0 range to a patched minimum of ^8.0.1. This
change should be made in the dependency entry named protobufjs so installs no
longer allow the vulnerable 8.0.0 release.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ded1bd48-8890-405c-9105-d251dc362b48

📥 Commits

Reviewing files that changed from the base of the PR and between 8d793f0 and 3ecc9c6.

📒 Files selected for processing (1)
  • typescript/package.json

Comment thread typescript/package.json
"dependencies": {
"fast-xml-parser": "^5.5.10",
"protobufjs": "^7.4.0",
"protobufjs": "^8.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the resolved protobufjs version in the lockfile
fd -a 'package-lock.json|pnpm-lock.yaml|yarn.lock' typescript | xargs -I{} sh -c 'echo "--- {} ---"; rg -n -A2 "\"protobufjs\"|^protobufjs@" {}'

Repository: meshtastic/TAKPacket-SDK

Length of output: 162


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== typescript files =="
git ls-files 'typescript/**' | sed -n '1,200p'

echo
echo "== package.json snippet =="
nl -ba typescript/package.json | sed -n '1,80p'

echo
echo "== potential lockfiles =="
git ls-files 'typescript/**' | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true

Repository: meshtastic/TAKPacket-SDK

Length of output: 1056


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== typescript/package.json =="
cat -n typescript/package.json | sed -n '1,120p'

echo
echo "== lockfiles in repository =="
git ls-files | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true

echo
echo "== protobufjs mentions in any lockfile =="
for f in $(git ls-files | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true); do
  echo "--- $f ---"
  rg -n -A2 -B2 'protobufjs' "$f" || true
done

Repository: meshtastic/TAKPacket-SDK

Length of output: 1512


🌐 Web query:

protobufjs 8.0.0 vulnerability CVE-2026-41242 8.0.1 7.5.5

💡 Result:

CVE-2026-41242 is a critical arbitrary code execution vulnerability affecting protobufjs [1][2]. It stems from the library's handling of protobuf definitions where attacker-controlled input in the "type" fields could be used to inject and execute arbitrary JavaScript code via the Function constructor during object decoding [3][2][4]. Affected and Patched Versions: - Versions prior to 7.5.5 are affected [3][2]. - Version 8.0.0 is affected [3][4]. - Patched versions are 7.5.5 and 8.0.1 (or higher) [3][2][4]. Users are advised to upgrade to version 7.5.5 or 8.0.1 immediately [2][5]. If an upgrade is not immediately feasible, it is recommended to avoid loading protobuf definitions or JSON descriptors from untrusted sources, or to validate and restrict them in an isolated environment before loading [3][5]. Note that subsequent security advisories in May 2026 (such as GHSA-66ff-xgx4-vchm, GHSA-75px-5xx7-5xc7, and GHSA-fx83-v9x8-x52w) identified additional vulnerabilities related to code injection and prototype pollution that were patched in versions 7.5.6 and 8.0.2 [6][7][8]. Consequently, users should ideally upgrade to the latest stable versions beyond 7.5.6 and 8.0.2 to ensure comprehensive protection [9][6][7][8].

Citations:


Bump protobufjs to ^8.0.1.
^8.0.0 still includes the vulnerable 8.0.0 release (CVE-2026-41242); raise the minimum to a patched version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@typescript/package.json` at line 22, Update the protobufjs dependency
requirement in the package.json manifest from the current 8.0.0 range to a
patched minimum of ^8.0.1. This change should be made in the dependency entry
named protobufjs so installs no longer allow the vulnerable 8.0.0 release.

@renovate renovate Bot force-pushed the renovate/protobufjs-8.x branch from 3ecc9c6 to c079c00 Compare July 6, 2026 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants