Skip to content

fix(security): raise protobufjs override floors (CRITICAL)#683

Merged
drewdrewthis merged 1 commit into
mainfrom
dependabot-scout/protobufjs-security
Jul 2, 2026
Merged

fix(security): raise protobufjs override floors (CRITICAL)#683
drewdrewthis merged 1 commit into
mainfrom
dependabot-scout/protobufjs-security

Conversation

@langwatch-agent

Copy link
Copy Markdown
Contributor

What

Raises the protobufjs security-override floors in javascript so the 8.x line resolves to >=8.6.0 and the 7.x line to >=7.6.3 <8, across both lockfiles (npm package-lock.json and pnpm pnpm-lock.yaml).

  • New top-level npm overrides block + bumped pnpm.overrides: protobufjs@>=8.0.0 <8.6.0 -> >=8.6.0, protobufjs@<7.6.3 -> >=7.6.3 <8.

Why

protobufjs 8.0.0 (pinned by @opentelemetry/otlp-transformer in the npm tree) is affected by CRITICAL arbitrary code execution (alert #426), plus the 8.x DoS / property-shadowing advisories; the pnpm tree carried a vulnerable 7.5.8.

Resolves #426 (CRITICAL), #429, #430, #431, #432, #433, #434, #435, #436, #440, #441, #448, #449.

Verification

  • npm lock: the 8.0.0 under @opentelemetry/otlp-transformer moves to 8.6.4; the safe 7.6.4 used by the ^7 consumers (@google/genai, @grpc/proto-loader, langwatch's own otlp-transformer) is preserved.
  • pnpm lock: 7.5.8 -> 7.6.4; the already-patched 8.6.1 is untouched.
  • Both locks change protobufjs-only (incremental resolve, no unrelated drift).
  • pnpm install --frozen-lockfile, tsc --noEmit, and tsup build all pass.

Notes

The esbuild alerts in these same locks are handled separately in #671; this PR is protobufjs-only.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1437418f-6c98-4d6b-b59e-421a8383535f

📥 Commits

Reviewing files that changed from the base of the PR and between 359767c and 32f82fc.

⛔ Files ignored due to path filters (2)
  • javascript/package-lock.json is excluded by !**/package-lock.json
  • javascript/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • javascript/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • javascript/package.json

Walkthrough

javascript/package.json adds a top-level overrides block for protobufjs and updates the existing pnpm.overrides mapping to the new version bounds.

Changes

protobufjs dependency override update

Layer / File(s) Summary
protobufjs version range constraints
javascript/package.json
Added top-level overrides block with two protobufjs range rules and updated the existing pnpm.overrides entries to match those same bounds.

Suggested Reviewers

  • sergioestebance

Poem

A rabbit hopped through version strings,
And tied up protobufjs with tidy springs.
Bounds now nudge the right release in sight,
Keeping the package garden neat and right.
🐇

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The linked issue asks to delete javascript/examples/vitest/pnpm-lock.yaml, but this PR only changes package.json overrides. Delete the orphaned vitest lockfile, or retarget the issue if this PR is meant to address protobufjs overrides instead.
Out of Scope Changes check ⚠️ Warning The package.json protobufjs override changes are unrelated to the linked issue's required lockfile deletion. Remove the unrelated override edits, or update the linked issue to match this protobufjs security work.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: raising protobufjs override floors for security.
Description check ✅ Passed The description is directly about the protobufjs override-floor updates in the JavaScript package files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot-scout/protobufjs-security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI fully green. Closes the CRITICAL protobufjs arbitrary-code-execution alert #426 plus the surrounding 8.x/7.x cluster across both the npm and pnpm javascript locks. Ready for human review.

@langwatch-agent langwatch-agent force-pushed the dependabot-scout/protobufjs-security branch from 61a82ef to 359767c Compare June 24, 2026 06:06
@langwatch-agent langwatch-agent force-pushed the dependabot-scout/protobufjs-security branch from 359767c to 32f82fc Compare June 24, 2026 06:16
@github-actions

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure.

  • Scope: Update javascript dependency overrides (npm "overrides" and pnpm.overrides) and corresponding package-lock.json and pnpm-lock.yaml entries to raise protobufjs floors (8.x -> >=8.6.0, 7.x -> >=7.6.3), with related lockfile resolution updates.
  • Exclusions confirmed: no changes to auth, security settings, database schema, business-critical logic, or external integrations.
  • Classification: low-risk-change under the documented policy.

The changes are limited to dependency overrides and lockfile updates that raise the minimum protobufjs versions across the javascript workspace; no authentication/authorization, secrets, database schema/migrations, business‑critical logic, or external integration code is altered. These are configuration/lockfile adjustments intended to remediate vulnerabilities and are reversible, so they meet the low-risk criteria.

An approving review has been submitted by automation. The PR may merge once required CI checks pass.

@github-actions github-actions Bot added the low-risk-change PR qualifies as low-risk per policy and can be merged without manual review label Jun 24, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by automation: PR qualifies as low-risk-change under the documented policy.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Rebased onto current main (resolved the overlap with the merged #684 hono+ws; kept both main's hono/ws floors and the protobufjs floors). Locks regenerated so the overrides header matches package.json; protobufjs resolves to 7.6.4 / 8.6.1 (pnpm) and 7.6.4 / 8.6.4 (npm), closing the CRITICAL #426 and the HIGH protobufjs alerts. CI fully green, MERGEABLE. Ready for human review and merge.

@drewdrewthis drewdrewthis merged commit 7841995 into main Jul 2, 2026
18 checks passed
@drewdrewthis drewdrewthis deleted the dependabot-scout/protobufjs-security branch July 2, 2026 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

low-risk-change PR qualifies as low-risk per policy and can be merged without manual review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants