Skip to content

Update dependency protobufjs to v6.11.4 [SECURITY]#65

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-protobufjs-vulnerability
Open

Update dependency protobufjs to v6.11.4 [SECURITY]#65
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-protobufjs-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Jun 18, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobufjs (source) 6.10.26.11.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25878

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

  1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
  2. by parsing/loading .proto files

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

Release Notes

protobufjs/protobuf.js (protobufjs)

v6.11.4

Compare Source

v6.11.3

Compare Source

6.11.3 (2022-05-20)
Bug Fixes

v6.11.2

Compare Source

6.11.2 (2021-04-30)
  • regenerated index.d.ts to fix the unintended breaking change in types.

v6.11.1

Compare Source

6.11.1 (2021-04-29)
Bug Fixes

v6.11.0

Compare Source

6.11.0 (2021-04-28)

Features
Bug Fixes
Dependencies

v6.10.3

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency protobufjs to 6.11.3 [SECURITY] Update dependency protobufjs to 6.10.3 [SECURITY] Nov 20, 2022
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from e5f5ea4 to 060961e Compare March 24, 2023 22:58
@renovate renovate bot changed the title Update dependency protobufjs to 6.10.3 [SECURITY] Update dependency protobufjs to v6.10.3 [SECURITY] Mar 24, 2023
@renovate renovate bot changed the title Update dependency protobufjs to v6.10.3 [SECURITY] Update dependency protobufjs to v7 [SECURITY] Jul 7, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 060961e to 8a288c6 Compare July 7, 2023 21:42
@renovate renovate bot changed the title Update dependency protobufjs to v7 [SECURITY] Update dependency protobufjs to v6.11.4 [SECURITY] Aug 15, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 8a288c6 to 7b0c10d Compare August 15, 2023 22:06
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 7b0c10d to 5f69306 Compare December 3, 2023 09:27
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch 2 times, most recently from 594b506 to 168fafb Compare January 30, 2025 18:00
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 168fafb to e40a09f Compare February 9, 2025 13:15
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from e40a09f to a7ebeed Compare April 6, 2025 00:08
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from a7ebeed to 682465f Compare April 24, 2025 07:01
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 682465f to ab67b65 Compare May 19, 2025 20:40
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from ab67b65 to ae52f62 Compare May 28, 2025 07:38
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from ae52f62 to 67e05be Compare June 4, 2025 12:57
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 67e05be to ee9de46 Compare June 22, 2025 12:41
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from ee9de46 to 53c3305 Compare July 2, 2025 17:30
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 53c3305 to 8894982 Compare August 10, 2025 14:07
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 8894982 to b746279 Compare August 19, 2025 13:00
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from b746279 to b089932 Compare September 25, 2025 16:40
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from b089932 to b741785 Compare October 21, 2025 16:58
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from b741785 to 243fd55 Compare November 11, 2025 02:32
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 243fd55 to 1c32618 Compare November 18, 2025 09:39
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 1c32618 to 8b822d9 Compare December 31, 2025 16:36
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch 2 times, most recently from 312cdb1 to 0ae8256 Compare January 23, 2026 19:00
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 0ae8256 to 6ac2bcd Compare February 2, 2026 20:53
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 6ac2bcd to 915e3b6 Compare February 12, 2026 14:06
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 915e3b6 to 8fe209c Compare March 5, 2026 14:00
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 8fe209c to 341eae8 Compare March 13, 2026 18:04
@renovate renovate bot changed the title Update dependency protobufjs to v6.11.4 [SECURITY] Update dependency protobufjs to v6.11.4 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-protobufjs-vulnerability branch March 27, 2026 01:16
@renovate renovate bot changed the title Update dependency protobufjs to v6.11.4 [SECURITY] - autoclosed Update dependency protobufjs to v6.11.4 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch 2 times, most recently from 341eae8 to 90436c7 Compare March 30, 2026 21:15
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 90436c7 to 0775325 Compare April 8, 2026 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants