chore(deps): batch security overrides — protobufjs + fast-xml-builder#57
Merged
Conversation
This was referenced May 13, 2026
Combines #52 and #53 into a single PR off main, avoiding the rebase cascade after #44/#42/#54/#55 churn. Both are mechanical pnpm.overrides additions: - protobufjs ^7.5.6 — clears alerts #7-14 (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7, GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm, GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter; not directly imported by our app. - fast-xml-builder ^1.1.7 — clears alerts #3, #4 (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via @opennextjs/cloudflare → AWS SDK build/deploy tooling; not directly used. Replaces #52, #53. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrphilo
force-pushed
the
chore/security-batch-overrides
branch
from
3168315 to
ce354ba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Combines #52 and #53 into a single PR off
mainto avoid a rebase cascade after the wave of merges (#44, #42, #54, #55). Both are mechanicalpnpm.overridesadditions on the transitive deps; no source touches.protobufjs
^7.5.6Clears 8 Dependabot alerts:
Path in tree:
posthog-js → @opentelemetry/exporter-logs-otlp-http → @opentelemetry/otlp-transformer → protobufjs 7.5.5 → 7.5.8(post-override).Exposure: reached only through PostHog's OTLP logs exporter. We never import
protobufjsdirectly, never author.protofiles, never decode attacker-controlled protobuf payloads. Bump is still the correct deterministic fix.fast-xml-builder
^1.1.7Clears 2 Dependabot alerts:
Path in tree:
@opennextjs/cloudflare → @aws-sdk/client-cloudfront → @aws-sdk/xml-builder → fast-xml-parser → fast-xml-builder 1.1.5 → 1.2.0(post-override).Exposure: reached only through the Cloudflare deploy tooling's bundled AWS SDK. We do not serialize attacker-controlled data to XML. Bump is the correct deterministic fix.
Test plan
pnpm installsucceeds; lockfile regenerated cleanlypnpm why protobufjsreports7.5.8(≥ 7.5.6 patched floor)pnpm why fast-xml-builderreports1.2.0(≥ 1.1.7 patched floor)pnpm lint— cleanpnpm build— cleanpnpm check:links— cleanReplaces #52, #53.
AI-assistance disclosure: this PR was assembled by Claude as a manual batch combining two AI-drafted security override PRs that went stale during a merge wave. Both component overrides were originally drafted by Ralphie (the docs dependency loop) with the same advisory grounding; this PR is the human-driven merge of those two diffs onto current main.
🤖 Generated with Claude Code