chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44291, CVE-2026-44292 by brendan-kellam · Pull Request #1202 · sourcebot-dev/sourcebot

brendan-kellam · 2026-05-13T18:32:26Z

Fixes SOU-1117
Fixes SOU-1118

Summary

This PR addresses two CVEs in protobufjs by upgrading from 7.5.5 to ^7.5.6 (lockfile resolves to 7.5.8):

CVE-2026-44291 — Code generation gadget after prototype pollution. protobufjs used plain objects with inherited prototypes for internal type lookup tables; if Object.prototype is polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information, potentially emitting attacker-controlled strings into generated JavaScript code.
CVE-2026-44292 — Prototype injection in generated message constructors. Generated message constructors copy all enumerable properties from a provided properties object without filtering the __proto__ key.

Changes

Added Yarn resolutions to force protobufjs to ^7.5.6 for all dependency ranges:

protobufjs@npm:^7.4.0 → ^7.5.6
protobufjs@npm:^7.5.3 → ^7.5.6
protobufjs@npm:^7.5.4 → ^7.5.6

This upgrades all instances of protobufjs from 7.5.5 to 7.5.8 (latest patched version).

References

Summary by CodeRabbit

Bug Fixes
- Patched security vulnerabilities in a core dependency to improve application security and ensure consistent dependency resolution across the project.

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>

coderabbitai · 2026-05-13T18:32:34Z

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f271d927-9c99-4e20-8fc2-7d5e4a12ef79

📥 Commits

Reviewing files that changed from the base of the PR and between d5ad64c and 8c47cf3.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

CHANGELOG.md
package.json

Walkthrough

This PR addresses a security vulnerability in the protobufjs dependency by forcing resolution to version 7.5.6 across multiple semver ranges via Yarn resolutions and documenting the upgrade in the changelog.

Changes

Dependency Security Update

Layer / File(s)	Summary
protobufjs 7.5.6 resolution and changelog `package.json`, `CHANGELOG.md`	Yarn `resolutions` map updated with three protobufjs semver ranges (`^7.4.0`, `^7.5.3`, `^7.5.4`) all pinned to `^7.5.6`; changelog entry added documenting the upgrade with CVE references.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

msukkari

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch cursor/cve/protobufjs-0604

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>

github-actions · 2026-05-13T18:35:15Z

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	1944
Resolved (non-standard)	19
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.0.5	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-ppc64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-riscv64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-wasm32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-wasm32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-win32-arm64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
axe-core	4.10.3	`MPL-2.0`
dompurify	3.4.0	`(MPL-2.0 OR Apache-2.0)`
lightningcss	1.32.0	`MPL-2.0`
lightningcss-android-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-x64	1.32.0	`MPL-2.0`
lightningcss-freebsd-x64	1.32.0	`MPL-2.0`
lightningcss-linux-arm-gnueabihf	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-musl	1.32.0	`MPL-2.0`
lightningcss-linux-x64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-x64-musl	1.32.0	`MPL-2.0`
lightningcss-win32-arm64-msvc	1.32.0	`MPL-2.0`
lightningcss-win32-x64-msvc	1.32.0	`MPL-2.0`

Resolved Packages (19)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.29	`UNKNOWN`	`MIT`	LICENSE file inside npm tarball
@react-grab/mcp	0.1.29	`UNKNOWN`	`MIT`	LICENSE file inside npm tarball
@sentry/cli	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata
@sentry/cli-darwin	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-arm	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-arm64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-i686	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-x64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-arm64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-i686	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-x64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry metadata (matches parent @sentry/cli)
codemirror-lang-elixir	4.0.0	`UNKNOWN`	`Apache-2.0`	LICENSE file inside npm tarball
element-source	0.0.3	`UNKNOWN`	`MIT`	LICENSE file inside npm tarball
lezer-elixir	1.1.2	`UNKNOWN`	`Apache-2.0`	LICENSE file inside npm tarball
map-stream	0.1.0	`UNKNOWN`	`MIT`	LICENCE file inside npm tarball
memorystream	0.3.1	`UNKNOWN`	`MIT`	extracted from licenses[0].type in package metadata
pause-stream	0.0.11	`MIT,Apache2`	`MIT`	extracted from license array in package metadata (dual MIT/Apache2)
posthog-js	1.369.0	`SEE LICENSE IN LICENSE`	`Apache-2.0 AND MIT`	LICENSE file on GitHub (PostHog/posthog-js)
valid-url	1.0.9	`UNKNOWN`	`MIT`	LICENSE file on GitHub (ogt/valid-url)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44292

3ab35c8

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>

docs: add CHANGELOG entry for protobufjs CVE fix

a0f402f

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>

docs: append CVE-2026-44291 to protobufjs CHANGELOG entry

8c47cf3

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

brendan-kellam changed the title ~~chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44292~~ chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44291, CVE-2026-44292 May 15, 2026

brendan-kellam marked this pull request as ready for review May 15, 2026 23:42

brendan-kellam closed this May 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44291, CVE-2026-44292#1202

chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44291, CVE-2026-44292#1202
brendan-kellam wants to merge 3 commits into
mainfrom
cursor/cve/protobufjs-0604

brendan-kellam commented May 13, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented May 13, 2026 •

edited

Loading

Review failed

Uh oh!

github-actions Bot commented May 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

brendan-kellam commented May 13, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

References

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review failed

Walkthrough

Changes

Estimated code review effort

Suggested reviewers

Uh oh!

github-actions Bot commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

License Audit

Weak Copyleft Packages (informational)

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

brendan-kellam commented May 13, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 13, 2026 •

edited

Loading

github-actions Bot commented May 13, 2026 •

edited

Loading