fix(security): raise protobufjs override floors (CRITICAL)#683
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Walkthrough
Changesprotobufjs dependency override update
Suggested Reviewers
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
CI fully green. Closes the CRITICAL protobufjs arbitrary-code-execution alert #426 plus the surrounding 8.x/7.x cluster across both the npm and pnpm javascript locks. Ready for human review. |
61a82ef to
359767c
Compare
359767c to
32f82fc
Compare
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure.
An approving review has been submitted by automation. The PR may merge once required CI checks pass. |
|
Rebased onto current main (resolved the overlap with the merged #684 hono+ws; kept both main's hono/ws floors and the protobufjs floors). Locks regenerated so the overrides header matches package.json; protobufjs resolves to 7.6.4 / 8.6.1 (pnpm) and 7.6.4 / 8.6.4 (npm), closing the CRITICAL #426 and the HIGH protobufjs alerts. CI fully green, MERGEABLE. Ready for human review and merge. |
What
Raises the
protobufjssecurity-override floors injavascriptso the 8.x line resolves to>=8.6.0and the 7.x line to>=7.6.3 <8, across both lockfiles (npmpackage-lock.jsonand pnpmpnpm-lock.yaml).overridesblock + bumpedpnpm.overrides:protobufjs@>=8.0.0 <8.6.0->>=8.6.0,protobufjs@<7.6.3->>=7.6.3 <8.Why
protobufjs 8.0.0 (pinned by
@opentelemetry/otlp-transformerin the npm tree) is affected by CRITICAL arbitrary code execution (alert #426), plus the 8.x DoS / property-shadowing advisories; the pnpm tree carried a vulnerable 7.5.8.Resolves #426 (CRITICAL), #429, #430, #431, #432, #433, #434, #435, #436, #440, #441, #448, #449.
Verification
@opentelemetry/otlp-transformermoves to 8.6.4; the safe 7.6.4 used by the^7consumers (@google/genai,@grpc/proto-loader, langwatch's own otlp-transformer) is preserved.pnpm install --frozen-lockfile,tsc --noEmit, andtsupbuild all pass.Notes
The esbuild alerts in these same locks are handled separately in #671; this PR is protobufjs-only.