chore: upgrade protobufjs to ^7.6.4 to address CVE-2026-54269

[linear-code]

Fixes SOU-1361

Refreshes the yarn.lock entry for protobufjs from 7.6.2 to 7.6.4 to address CVE-2026-54269 (schema-derived names can shadow runtime-significant properties; fixed in 7.6.3).

protobufjs is a transitive dependency only (via @grpc/proto-loader, proto3-json-serializer, @opentelemetry/otlp-transformer, and @google/genai). Every requesting range is ^7.x and already admitted the patched version, so no package.json change or resolutions override was needed. yarn why protobufjs confirms all instances now resolve to 7.6.4.

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2129
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE)
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	npm registry metadata
element-source	0.0.3	UNKNOWN	MIT	GitHub repo (aidenybai/element-source LICENSE)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	npm registry metadata
map-stream	0.1.0	UNKNOWN	MIT	npm registry metadata
memorystream	0.3.1	UNKNOWN	MIT	npm registry legacy licenses object (type=MIT)
pause-stream	0.0.11	["MIT","Apache2"]	(MIT OR Apache-2.0)	extracted from object/array + GitHub repo LICENSE (dual licensed MIT and Apache 2)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo LICENSE (PostHog/posthog-js)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo LICENSE (ogt/valid-url)