chore(deps): update dependency protobufjs-cli to v1.2.1 [security]#8253
Open
renovate-bot wants to merge 1 commit into
Open
chore(deps): update dependency protobufjs-cli to v1.2.1 [security]#8253renovate-bot wants to merge 1 commit into
renovate-bot wants to merge 1 commit into
Conversation
Collaborator
|
/gcbrun |
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies across the project's lock files, including package-lock.json, pnpm-lock.yaml, and yarn.lock. Key changes include moving prettier to production dependencies, upgrading protobufjs-cli to version 1.2.1, and updating various @babel components and the semver package. I have no feedback to provide.
danieljbruce
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.2.0→1.2.1protobuf.js is Vulnerable to OS Command Injection in the CLI
CVE-2026-42290 / GHSA-f84p-cvgm-xgjj
More information
Details
Summary
pbtsinvoked JSDoc by building a shell command string from input file paths and executing it throughchild_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.Impact
An attacker who can control file names or paths passed to
pbtsmay be able to execute arbitrary shell commands with the privileges of the process runningpbts.This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
Preconditions
pbtson file paths influenced by an attacker.pbtsversion must execute the generated JSDoc command through a shell.Workarounds
Do not run affected versions of
pbtson attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invokingpbts, or run the CLI in an isolated environment with minimal privileges.Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
protobuf.js: Code injection in pbjs static output from crafted schema names
CVE-2026-44295 / GHSA-6r35-46g8-jcw9
More information
Details
Summary
pbjsstatic code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization.Impact
An attacker who can provide or influence schemas passed to
pbjsmay be able to cause generated JavaScript output to contain attacker-controlled code. The injected code would run if the generated file is later executed or imported by the application or build process.This affects the protobufjs CLI static code generation path. Applications that only use trusted schemas, or that do not execute generated output from untrusted schemas, are not directly affected.
Preconditions
pbjsstatic code generation on a schema or JSON descriptor influenced by an attacker.Workarounds
Do not run affected versions of
pbjsstatic code generation on untrusted schemas or descriptors. If untrusted schemas must be accepted, validate schema names before code generation and run generation in an isolated environment.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
protobufjs/protobuf.js (protobufjs-cli)
v1.2.1: protobufjs-cli: v1.2.1Compare Source
Bug Fixes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.