Skip to content

fix(root): bump protobufjs to 7.5.8 via yarn resolution#8757

Merged
manojkumar138 merged 1 commit into
masterfrom
CECHO-973-bump-protobufjs
May 13, 2026
Merged

fix(root): bump protobufjs to 7.5.8 via yarn resolution#8757
manojkumar138 merged 1 commit into
masterfrom
CECHO-973-bump-protobufjs

Conversation

@manojkumar138
Copy link
Copy Markdown
Contributor

@manojkumar138 manojkumar138 commented May 12, 2026
edited
Loading

Summary

  • Add yarn resolution "protobufjs": "^7.5.8" to bump all protobufjs deps to patched version
  • Fixes GHSA-66ff-xgx4-vchm (code injection via bytes field defaults) and GHSA-75px-5xx7-5xc7 (code generation gadget after prototype pollution)
  • All protobufjs entries in yarn.lock now resolve to 7.5.8 (previously 6.11.4, 7.2.5, 7.5.4)

Test plan

  • CI audit step passes
  • AppSec approval for dependency bump

CECHO-973

@manojkumar138 manojkumar138 requested review from a team as code owners May 12, 2026 20:21
@manojkumar138 manojkumar138 requested a review from alextse-bg May 12, 2026 20:21
@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 12, 2026

CECHO-973

@manojkumar138 manojkumar138 requested a review from Marzooqa May 12, 2026 20:21
@manojkumar138 manojkumar138 force-pushed the CECHO-973-bump-protobufjs branch from 3b03f3e to 3da3607 Compare May 12, 2026 20:22
@manojkumar138 manojkumar138 changed the title fix(root): bump protobufjs to 7.5.8 and exclude residual advisories fix(root): bump protobufjs to 7.5.8 via yarn resolution May 12, 2026
@manojkumar138 manojkumar138 force-pushed the CECHO-973-bump-protobufjs branch from 3da3607 to 28d538f Compare May 12, 2026 20:24
@bhargavirao24
Copy link
Copy Markdown

bhargavirao24 commented May 12, 2026

@manojkumar138 SafeChain is blocking 7.5.8 because it was published today and is still within the 7-day cooldown window. 7.5.6 already has the fix and has been out for around 2 weeks, so it’s past the cooldown. Can you update the resolution from
"protobufjs": "^7.5.8"
"protobufjs": "7.5.6"
Exact pinning is nice for resolutions since it keeps the version reproducible and easier to audit. That should fix both advisories and unblock CI without needing any approval and bypass.

This should work but let me know if you run into any issues

@manojkumar138 @claude
fix(root): bump protobufjs to 7.5.6 via yarn resolution
3c1f740 
Add yarn resolution to pin protobufjs to 7.5.6, fixing GHSA-66ff-xgx4-vchm
and GHSA-75px-5xx7-5xc7. Version 7.5.6 is past the 7-day SafeChain cooldown.
All protobufjs entries in yarn.lock now resolve to 7.5.6.

CECHO-973

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@manojkumar138 manojkumar138 force-pushed the CECHO-973-bump-protobufjs branch from 28d538f to 3c1f740 Compare May 12, 2026 21:19
@manojkumar138 manojkumar138 merged commit 781ebdc into master May 13, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mohd-kashif mohd-kashif mohd-kashif approved these changes

@alextse-bg alextse-bg Awaiting requested review from alextse-bg alextse-bg was automatically assigned from BitGo/wallet-core

@Marzooqa Marzooqa Awaiting requested review from Marzooqa Marzooqa was automatically assigned from BitGo/wallet-core-india

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@manojkumar138 @bhargavirao24 @mohd-kashif