Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion typescript/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
},
"dependencies": {
"fast-xml-parser": "^5.5.10",
"protobufjs": "^7.4.0",
"protobufjs": "^8.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the resolved protobufjs version in the lockfile
fd -a 'package-lock.json|pnpm-lock.yaml|yarn.lock' typescript | xargs -I{} sh -c 'echo "--- {} ---"; rg -n -A2 "\"protobufjs\"|^protobufjs@" {}'

Repository: meshtastic/TAKPacket-SDK

Length of output: 162


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== typescript files =="
git ls-files 'typescript/**' | sed -n '1,200p'

echo
echo "== package.json snippet =="
nl -ba typescript/package.json | sed -n '1,80p'

echo
echo "== potential lockfiles =="
git ls-files 'typescript/**' | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true

Repository: meshtastic/TAKPacket-SDK

Length of output: 1056


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== typescript/package.json =="
cat -n typescript/package.json | sed -n '1,120p'

echo
echo "== lockfiles in repository =="
git ls-files | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true

echo
echo "== protobufjs mentions in any lockfile =="
for f in $(git ls-files | rg '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|npm-shrinkwrap\.json)$' || true); do
  echo "--- $f ---"
  rg -n -A2 -B2 'protobufjs' "$f" || true
done

Repository: meshtastic/TAKPacket-SDK

Length of output: 1512


🌐 Web query:

protobufjs 8.0.0 vulnerability CVE-2026-41242 8.0.1 7.5.5

💡 Result:

CVE-2026-41242 is a critical arbitrary code execution vulnerability affecting protobufjs [1][2]. It stems from the library's handling of protobuf definitions where attacker-controlled input in the "type" fields could be used to inject and execute arbitrary JavaScript code via the Function constructor during object decoding [3][2][4]. Affected and Patched Versions: - Versions prior to 7.5.5 are affected [3][2]. - Version 8.0.0 is affected [3][4]. - Patched versions are 7.5.5 and 8.0.1 (or higher) [3][2][4]. Users are advised to upgrade to version 7.5.5 or 8.0.1 immediately [2][5]. If an upgrade is not immediately feasible, it is recommended to avoid loading protobuf definitions or JSON descriptors from untrusted sources, or to validate and restrict them in an isolated environment before loading [3][5]. Note that subsequent security advisories in May 2026 (such as GHSA-66ff-xgx4-vchm, GHSA-75px-5xx7-5xc7, and GHSA-fx83-v9x8-x52w) identified additional vulnerabilities related to code injection and prototype pollution that were patched in versions 7.5.6 and 8.0.2 [6][7][8]. Consequently, users should ideally upgrade to the latest stable versions beyond 7.5.6 and 8.0.2 to ensure comprehensive protection [9][6][7][8].

Citations:


Bump protobufjs to ^8.0.1.
^8.0.0 still includes the vulnerable 8.0.0 release (CVE-2026-41242); raise the minimum to a patched version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@typescript/package.json` at line 22, Update the protobufjs dependency
requirement in the package.json manifest from the current 8.0.0 range to a
patched minimum of ^8.0.1. This change should be made in the dependency entry
named protobufjs so installs no longer allow the vulnerable 8.0.0 release.

"zstd-napi": "^0.0.12"
},
"files": [
Expand Down
Loading