Skip to content

Commit 354ca18

Browse files
MathurAditya724MathurAditya724
committed
fix: override protobufjs to >=7.5.6 to resolve CVE (GHSA-jvwf-75h9-cwgg)
protobufjs <7.5.6 is vulnerable to process-wide denial of service through unsafe option paths. The vulnerable version (7.4.0) was pulled in transitively via @atproto/bsky -> etcd3 -> @grpc/proto-loader. Added a pnpm override to force protobufjs >=7.5.6 (resolved to 8.2.0).
1 parent f19afe2 commit 354ca18

2 files changed

Lines changed: 13 additions & 68 deletions

File tree

package.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,5 +34,10 @@
3434
"*.{js,ts,cjs,mjs,json}": [
3535
"biome check --write --"
3636
]
37+
},
38+
"pnpm": {
39+
"overrides": {
40+
"protobufjs": ">=7.5.6"
41+
}
3742
}
3843
}

pnpm-lock.yaml

Lines changed: 8 additions & 68 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)