chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44291, CVE-2026-44292

[brendan-kellam]

Fixes SOU-1117
Fixes SOU-1118

Summary

This PR addresses two CVEs in protobufjs by upgrading from 7.5.5 to ^7.5.6 (lockfile resolves to 7.5.8):

• CVE-2026-44291 — Code generation gadget after prototype pollution. protobufjs used plain objects with inherited prototypes for internal type lookup tables; if Object.prototype is polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information, potentially emitting attacker-controlled strings into generated JavaScript code.
• CVE-2026-44292 — Prototype injection in generated message constructors. Generated message constructors copy all enumerable properties from a provided properties object without filtering the __proto__ key.

Changes

Added Yarn resolutions to force protobufjs to ^7.5.6 for all dependency ranges:

• protobufjs@npm:^7.4.0 → ^7.5.6
• protobufjs@npm:^7.5.3 → ^7.5.6
• protobufjs@npm:^7.5.4 → ^7.5.6

This upgrades all instances of protobufjs from 7.5.5 to 7.5.8 (latest patched version).

References

• CVE-2026-44291 advisory
• CVE-2026-44292 advisory
• protobufjs v7.5.6 Release

Summary by CodeRabbit

• Bug Fixes
  • Patched security vulnerabilities in a core dependency to improve application security and ensure consistent dependency resolution across the project.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f271d927-9c99-4e20-8fc2-7d5e4a12ef79

📥 Commits

Reviewing files that changed from the base of the PR and between d5ad64c and 8c47cf3.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json

---

Walkthrough

This PR addresses a security vulnerability in the protobufjs dependency by forcing resolution to version 7.5.6 across multiple semver ranges via Yarn resolutions and documenting the upgrade in the changelog.

Changes

Dependency Security Update

Layer / File(s)	Summary
protobufjs 7.5.6 resolution and changelog package.json, CHANGELOG.md	Yarn resolutions map updated with three protobufjs semver ranges (^7.4.0, ^7.5.3, ^7.5.4) all pinned to ^7.5.6; changelog entry added documenting the upgrade with CVE references.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• msukkari

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/protobufjs-0604

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	1944
Resolved (non-standard)	19
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (19)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file inside npm tarball
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file inside npm tarball
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file inside npm tarball
element-source	0.0.3	UNKNOWN	MIT	LICENSE file inside npm tarball
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file inside npm tarball
map-stream	0.1.0	UNKNOWN	MIT	LICENCE file inside npm tarball
memorystream	0.3.1	UNKNOWN	MIT	extracted from licenses[0].type in package metadata
pause-stream	0.0.11	MIT,Apache2	MIT	extracted from license array in package metadata (dual MIT/Apache2)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0 AND MIT	LICENSE file on GitHub (PostHog/posthog-js)
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file on GitHub (ogt/valid-url)