Skip to content

chore(deps): override protobufjs to 7.5.6+ (GHSA-q6x5-8v7m-xcrf et al)#52

Closed
jrphilo wants to merge 1 commit into
mainfrom
chore/security-protobufjs-q6x5
Closed

chore(deps): override protobufjs to 7.5.6+ (GHSA-q6x5-8v7m-xcrf et al)#52
jrphilo wants to merge 1 commit into
mainfrom
chore/security-protobufjs-q6x5

Conversation

@jrphilo
Copy link
Copy Markdown
Collaborator

@jrphilo jrphilo commented May 13, 2026

Summary

docs@0.1.0
└─┬ posthog-js 1.369.3
  └─┬ @opentelemetry/exporter-logs-otlp-http 0.208.0
    └─┬ @opentelemetry/otlp-transformer 0.208.0
      └── protobufjs 7.5.5 → 7.5.8 (post-override)
  • Exposure: protobufjs is reached only through posthog-js's OpenTelemetry logs exporter; our app never imports protobufjs directly (no source-tree references in src/ or scripts/). We don't author .proto files, don't decode attacker-controlled protobuf payloads, and don't expose generated toObject codepaths. The advisories all describe attacker-supplied protobuf data reaching generated decode/encode code, which isn't reachable through our usage. Bumping is still the right move — it's a deterministic transitive fix with no behavior change for our integration.

Test plan

  • pnpm install succeeds; lockfile updated
  • pnpm why protobufjs reports 7.5.8 (>= 7.5.6 patched floor)
  • CI green (lint + build + check:links)

AI-assistance disclosure: this PR was drafted by an AI agent (Claude / Ralphie) as part of the docs repo dependency-triage loop. The change is mechanical (a pnpm.overrides entry) and the exposure assessment is grounded in a repo grep and the advisory text. A maintainer should still skim the diff and the advisories before merging.

@jrphilo @claude
chore(deps): override protobufjs to ^7.5.6
63c1ad8 
Clears 7 Dependabot alerts on transitive protobufjs (via posthog-js →
@opentelemetry/exporter-logs-otlp-http). All patched at 7.5.6+:

- GHSA-685m-2w69-288q (CVE-2026-44289): DoS via unbounded recursion
- GHSA-66ff-xgx4-vchm (CVE-2026-44293): Code injection in toObject
- GHSA-2pr8-phx7-x9h3 (CVE-2026-44294): DoS from crafted field names
- GHSA-fx83-v9x8-x52w (CVE-2026-44292): Prototype injection
- GHSA-75px-5xx7-5xc7 (CVE-2026-44291): Codegen gadget after pollution
- GHSA-jvwf-75h9-cwgg (CVE-2026-44290): Process-wide DoS via option paths
- GHSA-q6x5-8v7m-xcrf (CVE-2026-44288): @protobufjs/utf8 overlong decode

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@jrphilo jrphilo added dependencies Pull requests that update a dependency file security Security-related changes (Dependabot alert sweeps, advisories) labels May 13, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 13, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 docs-preview 63c1ad8 Commit Preview URL

Branch Preview URL		 May 13 2026, 01:37 PM

@jrphilo
Copy link
Copy Markdown
Collaborator Author

jrphilo commented May 13, 2026

Ralphie verified this — ready to merge.

Verification

  • lint: ✓
  • build: ✓ (Next.js type-check + bundle, 11/11 static pages generated)
  • check:links: ✓ (39 files, 3 internal links, 0 broken)

Changelog highlights

  • This is an alert-sweep override PR, not a version bump — the "changelog" is the seven advisories listed in the PR body (GHSA-q6x5-8v7m-xcrf and friends, all patched in protobufjs@7.5.6).
  • Post-override pnpm why protobufjs reports 7.5.8, well above the patched floor.

Investigation

  • Ownership: no ownership change — this is a transitive-dep version floor, no publisher swap.
  • Auth/secrets: none — pnpm.overrides edit only; no auth/secret-handling code touched.
  • Security advisory: GHSA-q6x5-8v7m-xcrf et al. (seven advisories) — investigated → all describe attacker-controlled protobuf payloads reaching generated encode/decode code (toObject, bytes-field defaults, option paths, UTF-8 decoding). We reach protobufjs only via posthog-js@1.369.3 → @opentelemetry/exporter-logs-otlp-http → @opentelemetry/otlp-transformer. Confirmed by pnpm why protobufjs and grep -r protobuf src/ (no hits). We don't author .proto files, don't decode attacker-controlled protobuf payloads, don't expose generated codepaths. Override is deterministic and the right floor.
  • Deprecations: none we'd hit.
  • Breaking API: none — protobufjs@7.5.5 → 7.5.8 is a patch-level move within the 7.5.x range; no API surface change for the OpenTelemetry transformer.

Recommendation

Safe to merge. The override is mechanical, the resolved version (7.5.8) clears all seven advisories' patched floors (7.5.6), and our exposure to the vulnerable surfaces is zero — protobufjs is reached only through posthog-js's OTLP logs exporter and we don't process attacker-controlled protobuf input.

@jrphilo jrphilo added the ralphie:ready-to-merge Ralphie verified; maintainer to merge label May 13, 2026
@jrphilo jrphilo mentioned this pull request May 13, 2026
Merged
7 tasks
@jrphilo
Copy link
Copy Markdown
Collaborator Author

jrphilo commented May 13, 2026

Closing — superseded by #57, which batches this override with the fast-xml-builder override (#53) onto current main to avoid a rebase cascade after the recent merge wave.

@jrphilo jrphilo closed this May 13, 2026
@jrphilo jrphilo mentioned this pull request May 13, 2026
Closed
3 tasks
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(deps): batch security overrides for protobufjs + fast-xml-builder
ce354ba 
Combines #52 and #53 into a single PR off main, avoiding the
rebase cascade after #44/#42/#54/#55 churn. Both are mechanical
pnpm.overrides additions:

- protobufjs ^7.5.6 — clears alerts #7-14
  (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7,
   GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm,
   GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter;
   not directly imported by our app.

- fast-xml-builder ^1.1.7 — clears alerts #3, #4
  (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via
   @opennextjs/cloudflare → AWS SDK build/deploy tooling; not
   directly used.

Replaces #52, #53.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(deps): batch security overrides for protobufjs + fast-xml-build…
1d77906 
…er (#57)

Combines #52 and #53 into a single PR off main, avoiding the
rebase cascade after #44/#42/#54/#55 churn. Both are mechanical
pnpm.overrides additions:

- protobufjs ^7.5.6 — clears alerts #7-14
  (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7,
   GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm,
   GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter;
   not directly imported by our app.

- fast-xml-builder ^1.1.7 — clears alerts #3, #4
  (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via
   @opennextjs/cloudflare → AWS SDK build/deploy tooling; not
   directly used.

Replaces #52, #53.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(.dev): add Phase 3 batch step to consolidate ready-to-merge wav…
503caf4 
…es (#59)

Adds PROMPT_dependency_batch.md and a Phase 3 invocation to
dependency.sh. After Phase 2 drains, if ≥2 PRs are
ralphie:ready-to-merge AND share at least one touched file path
(in practice always pnpm-lock.yaml), Phase 3 opens a single batch
PR off fresh origin/main that combines their package.json edits,
regenerates the lockfile once, verifies the combined diff
(lint/build/check:links), and closes the constituents with
ralphie:replaced-by-newer-pr.

Motivates: today's wave required manually batching #52 and #53
after merge-cascade conflicts. Same pattern will repeat weekly
per the Dependabot schedule; this automates it.

New flags:
- --batch-only: skip Phase 1+2, batch the current ready set.
- --no-batch:   skip Phase 3 entirely.

dependency-rules.md gains a Phase 3 section: eligibility gates
(≥2 ready, ≥1 file overlap), batchable edit shapes
(pnpm.overrides, dependencies versions, same-package version
conflicts take the higher), verification recipe, outcomes table,
batch PR body shape, and constituent comment shapes.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ralphie:ready-to-merge Ralphie verified; maintainer to merge security Security-related changes (Dependabot alert sweeps, advisories)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrphilo