fix(deps): update dependency protobufjs to v7.2.5 [security] #1387

renovate-bot · 2025-05-01T20:59:32Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobufjs (source)	`7.0.0` -> `7.2.5`

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

Release Notes

protobufjs/protobuf.js (protobufjs)

`v7.2.5`

Compare Source

Bug Fixes

crash in comment parsing (#1890) (eaf9f0a)
deprecation warning for new Buffer (#1905) (e93286e)
possible infinite loop when parsing option (#1923) (f2a8620)

`v7.2.4`

Compare Source

Bug Fixes

do not let setProperty change the prototype (#1899) (e66379f)

`v7.2.3`

Compare Source

Bug Fixes

type names can be split into multiple tokens (#1877) (8817ee6)

`v7.2.2`

Compare Source

Bug Fixes

do not allow to extend same field twice to prevent the error (#1784) (14f0536)

`v7.2.1`

Compare Source

Bug Fixes

cli: fix relative path to Google pb files (#1859) (e42eea4)
Revert "fix: error should be thrown" (4489fa7)
use bundled filename to fix common pb includes (#1860) (dce9a2e)
use ES5 style function syntax (#1830) (64e8936)

`v7.2.0`

Compare Source

Features

cli: generate static files at the granularity of proto messages (#1840) (32f2d6a)

Bug Fixes

error should be thrown (#1817) (e7a3489)

`v7.1.2`

Compare Source

Bug Fixes

types: nested object can be a oneof (#1812) (119d90a)

`v7.1.1`

Compare Source

Bug Fixes

add import long to the generated .d.ts (#1802) (7c27b5a)
generate valid js code for aliased enum values (#1801) (7120e93)

`v7.1.0`

Compare Source

Features

accept unknown enum values in fromObject (#1793) (ef24ae4)
valuesOptions for enums (#1358) (bb6b1d4)

Bug Fixes

deps: update dependency glob to v8 (#1750) (8303a64)
extensions broke oneof (#1789) (d7f501c)
remove unused @types/long (#1785) (0f4af83)
support for nested messages and enums within group blocks (#1790) (f36d4e4)
types: update type deps (#1776) (d87978b)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-bot requested review from a team as code owners May 1, 2025 20:59

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 1, 2025

product-auto-label bot added size: xs Pull request size is extra small. api: datastore Issues related to the googleapis/nodejs-datastore API. labels May 1, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 1, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 1, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 351e5be to 091af7f Compare May 2, 2025 20:26

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 2, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 2, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 2, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 091af7f to 6ba3190 Compare May 8, 2025 13:26

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 8, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 8, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 8, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 6ba3190 to f23df1a Compare May 8, 2025 14:10

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 8, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 8, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 8, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from f23df1a to 063b2be Compare May 8, 2025 16:03

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 8, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 8, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 8, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 063b2be to 8eb65a0 Compare May 28, 2025 20:53

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 20, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 20, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 20, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 3ac72f7 to 2eb6bf0 Compare June 20, 2025 17:54

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 20, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 20, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 20, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 2eb6bf0 to c9604cc Compare June 21, 2025 06:51

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 21, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 21, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 21, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from c9604cc to cd6d89a Compare June 21, 2025 14:52

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 21, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 21, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 21, 2025

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from cd6d89a to 2be1113 Compare June 21, 2025 21:42

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 21, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 21, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 21, 2025

fix(deps): update dependency protobufjs to v7.2.5 [security]

a1c3f72

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 2be1113 to a1c3f72 Compare June 22, 2025 05:25

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 22, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Jun 22, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency protobufjs to v7.2.5 [security] #1387

fix(deps): update dependency protobufjs to v7.2.5 [security] #1387

renovate-bot commented May 1, 2025

Uh oh!

Uh oh!

fix(deps): update dependency protobufjs to v7.2.5 [security] #1387

Are you sure you want to change the base?

fix(deps): update dependency protobufjs to v7.2.5 [security] #1387

Conversation

renovate-bot commented May 1, 2025

GitHub Vulnerability Alerts

Release Notes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Configuration

Uh oh!

Uh oh!