chore(deps): update lockfile to patch protobufjs vulnerability

[andriimredocly]

What/Why/How?

• What: Patch CVE-2026-41242 / GHSA-xq3m-2v4x-88gg in protobufjs (arbitrary code execution via crafted protobuf "type" field, CVSS 9.8).
• Why: protobufjs@7.5.3 (transitive via @redocly/realm → @opentelemetry/exporter-trace-otlp-http → @opentelemetry/otlp-transformer) was vulnerable. Attacker-controlled protobuf definitions could execute JS during decode.
• How: Ran npm update protobufjs to refresh the lockfile within the existing ^7.3.0 range. Resolved version is now 7.5.6 (>= patched 7.5.5).

Reference

Closes https://github.com/Redocly/website/security/dependabot/107

• GHSA-xq3m-2v4x-88gg
• CVE-2026-41242

Testing

• Ran npm install and confirmed protobufjs resolves to 7.5.6 in package-lock.json (npm ls protobufjs).
• Lockfile-only change; no application code modified.

Screenshots (optional)

Check yourself

• Code is linted
• Tested
• All new/updated code is covered with tests

Security

• Security impact of change has been considered
• Code follows company security practices and guidelines

[redocly]

marketing-site AI Review: 🟢 Completed

Note

Low Risk

This PR contains a low-risk, lockfile-only change. It applies a patch-level update to a transitive dependency (protobufjs and its sub-dependencies) to address a known, highly critical security vulnerability. Since no application code is modified and the update stays within the existing version range, the potential for breaking changes or unintended side effects is minimal.

Overview

Updates package-lock.json to bump protobufjs from 7.5.4 to 7.5.6, along with minor bumps to @protobufjs/codegen, @protobufjs/inquire, and @protobufjs/utf8. This mitigates CVE-2026-41242 (GHSA-xq3m-2v4x-88gg), which could allow arbitrary code execution via crafted protobuf fields during decoding.