Skip to content

fix(deps): bump transitive protobufjs to 7.6.4 (Snyk)#215

Merged
radovanjorgic merged 1 commit into
mainfrom
fix/protobufjs-vulns-snyk
Jul 2, 2026
Merged

fix(deps): bump transitive protobufjs to 7.6.4 (Snyk)#215
radovanjorgic merged 1 commit into
mainfrom
fix/protobufjs-vulns-snyk

Conversation

@radovanjorgic

@radovanjorgic radovanjorgic commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

https://app.devrev.ai/devrev/issue/ASCPT-41

What

Bumps the locked protobufjs resolution 7.5.8 → 7.6.4 to resolve 3 Snyk findings. Only package-lock.json changes — no package.json / overrides edit — because @devrev/typescript-sdk already declares protobufjs: ^7.3.0, so the patched version fits its existing range. The fix was applied with npm update protobufjs.

Vulnerabilities resolved

All transitive via @devrev/typescript-sdk > protobufjs:

Sev Vulnerability Fixed in
🔴 High Arbitrary Code Injection 7.6.2
🔴 High Uncontrolled Recursion 7.6.1
🟠 Medium Improper Check for Unusual/Exceptional Conditions 7.6.3

Verification

$ snyk test --all-projects
✔ Tested 81 dependencies for known issues, no vulnerable paths found.

Note

The fix lives in the committed lockfile (no override pin). A future rm package-lock.json && npm install could re-resolve lower until @devrev/typescript-sdk carries the bump upstream; committing the lockfile covers CI and normal installs.

🤖 Generated with Claude Code

@radovanjorgic radovanjorgic requested review from a team and gasperzgonec as code owners July 2, 2026 09:53
Refreshes the locked protobufjs resolution (7.5.8 -> 7.6.4) via
`npm update protobufjs`. No package.json change is needed because
@devrev/typescript-sdk already declares protobufjs ^7.3.0, so the
patched version fits its existing range.

Resolves 3 Snyk findings (all transitive via
@devrev/typescript-sdk > protobufjs):
- High: Arbitrary Code Injection (SNYK-JS-PROTOBUFJS-17362837)
- High: Uncontrolled Recursion (SNYK-JS-PROTOBUFJS-17353320)
- Medium: Improper Check for Unusual/Exceptional Conditions (SNYK-JS-PROTOBUFJS-17353168)

Verified clean with `snyk test --all-projects`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@radovanjorgic radovanjorgic force-pushed the fix/protobufjs-vulns-snyk branch from d58a39c to 5d749a3 Compare July 2, 2026 09:55
@radovanjorgic radovanjorgic merged commit 8e46261 into main Jul 2, 2026
9 of 10 checks passed
@radovanjorgic radovanjorgic deleted the fix/protobufjs-vulns-snyk branch July 2, 2026 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants