chore: upgrade protobufjs to ^7.5.6 to address CVE-2026-44292

[brendan-kellam]

Fixes SOU-1118
Fixes #215

Summary

This PR addresses CVE-2026-44292, a prototype injection vulnerability in protobufjs where generated message constructors copy all enumerable properties from provided objects without filtering the __proto__ key.

Changes

Added Yarn resolutions to force protobufjs to ^7.5.6 for all dependency ranges:

• protobufjs@npm:^7.4.0 → ^7.5.6
• protobufjs@npm:^7.5.3 → ^7.5.6
• protobufjs@npm:^7.5.4 → ^7.5.6

This upgrades all instances of protobufjs from 7.5.5 to 7.5.8 (latest patched version).

References

• GitHub Security Advisory
• protobufjs v7.5.6 Release

Linear Issue: SOU-1118

  

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2e31bce3-e0db-4d49-afe4-6f2264b88fb8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/protobufjs-0604

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	1944
Resolved (non-standard)	19
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (19)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file inside npm tarball
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file inside npm tarball
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry metadata (matches parent @sentry/cli)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file inside npm tarball
element-source	0.0.3	UNKNOWN	MIT	LICENSE file inside npm tarball
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file inside npm tarball
map-stream	0.1.0	UNKNOWN	MIT	LICENCE file inside npm tarball
memorystream	0.3.1	UNKNOWN	MIT	extracted from licenses[0].type in package metadata
pause-stream	0.0.11	MIT,Apache2	MIT	extracted from license array in package metadata (dual MIT/Apache2)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0 AND MIT	LICENSE file on GitHub (PostHog/posthog-js)
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file on GitHub (ogt/valid-url)