Skip to content

fix(security): upgrade protobufjs to 7.5.5#28941

Merged
sahitya-chandra merged 1 commit into
mainfrom
fix/security-protobufjs-cve
Apr 20, 2026
Merged

fix(security): upgrade protobufjs to 7.5.5#28941
sahitya-chandra merged 1 commit into
mainfrom
fix/security-protobufjs-cve

Conversation

@sahitya-chandra
Copy link
Copy Markdown
Member

@sahitya-chandra sahitya-chandra commented Apr 20, 2026

Summary

  • Pins protobufjs to 7.5.5 via root resolutions to patch GHSA-xq3m-2v4x-88gg (critical — arbitrary code execution, affects <7.5.5).
  • The vulnerable 7.4.0 was pulled in transitively through @opentelemetry/otlp-transformer@0.203.0, causing Security Audit / audit (yarn npm audit --all --recursive --severity critical) to fail on every open PR and block merges.

Test plan

  • yarn install --mode=update-lockfile succeeds and updates the protobufjs entry in yarn.lock to 7.5.5.
  • yarn npm audit --all --recursive --severity critical reports No audit suggestions.
  • CI Security Audit / audit job passes on this PR.

@sahitya-chandra
fix(security): upgrade protobufjs to 7.5.5 to fix critical CVE
efc909d 
Pins protobufjs to 7.5.5 via resolutions to patch GHSA-xq3m-2v4x-88gg
(arbitrary code execution, <7.5.5). The vulnerable 7.4.0 was pulled in
transitively through @opentelemetry/otlp-transformer, causing the
Security Audit CI job to fail on all PRs.
@sahitya-chandra sahitya-chandra marked this pull request as ready for review April 20, 2026 13:51
@sahitya-chandra sahitya-chandra changed the title fix(security): upgrade protobufjs to 7.5.5 to fix critical CVE fix(security): upgrade protobufjs to 7.5.5 Apr 20, 2026
@sahitya-chandra sahitya-chandra enabled auto-merge (squash) April 20, 2026 13:52
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 20, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The package.json file has been updated to add a new entry in the resolutions map, pinning the protobufjs dependency to version 7.5.5. This is a single line addition with no changes to other dependencies, scripts, or configuration logic in the file.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the security vulnerability being patched and the test plan verification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title 'fix(security): upgrade protobufjs to 7.5.5' directly and specifically describes the main change - pinning protobufjs to a patched version to address a critical security vulnerability.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/security-protobufjs-cve

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sahitya-chandra sahitya-chandra merged commit 4313bd2 into main Apr 20, 2026
57 of 59 checks passed
@sahitya-chandra sahitya-chandra deleted the fix/security-protobufjs-cve branch April 20, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romitg2 romitg2 romitg2 approved these changes

Assignees

No one assigned

Labels

ready-for-e2e size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sahitya-chandra @romitg2