chore(deps): update dependency protobufjs-cli to v1.3.2 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs-cli	1.1.2 → 1.3.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

protobuf.js is Vulnerable to OS Command Injection in the CLI

CVE-2026-42290 / GHSA-f84p-cvgm-xgjj

More information

Details

Summary

pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.

Impact

An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.

This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.

Preconditions

• The application or user must invoke pbts on file paths influenced by an attacker.
• The attacker must be able to supply or create a path containing shell-significant characters.
• The vulnerable pbts version must execute the generated JSDoc command through a shell.

Workarounds

Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.

Severity

• CVSS Score: 7.8 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2
• https://nvd.nist.gov/vuln/detail/CVE-2026-42290
• https://github.com/advisories/GHSA-f84p-cvgm-xgjj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

protobuf.js: Code injection in pbjs static output from crafted schema names

CVE-2026-44295 / GHSA-6r35-46g8-jcw9

More information

Details

Summary

pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization.

Impact

An attacker who can provide or influence schemas passed to pbjs may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code would run if the generated file is later executed or imported by the application or build process.

This affects the protobufjs CLI static code generation path. Applications that only use trusted schemas, or that do not execute generated output from untrusted schemas, are not directly affected.

Preconditions

• The application or build process must run pbjs static code generation on a schema or JSON descriptor influenced by an attacker.
• The attacker-controlled input must contain crafted schema names that reach generated JavaScript output.
• The generated JavaScript file must subsequently be executed, imported, or otherwise evaluated.

Workarounds

Do not run affected versions of pbjs static code generation on untrusted schemas or descriptors. If untrusted schemas must be accepted, validate schema names before code generation and run generation in an isolated environment.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2
• https://nvd.nist.gov/vuln/detail/CVE-2026-44295
• https://github.com/advisories/GHSA-6r35-46g8-jcw9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

CVE-2026-54271 / GHSA-pr59-h9ph-3fr8

More information

Details

Summary

A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.

This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.

Impact

An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.

The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.

Preconditions

• The application or build process must run pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker.
• The generated JavaScript file must subsequently be executed or imported.
• An affected generated API path must be invoked.

Workarounds

Do not run affected versions of pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8
• https://github.com/advisories/GHSA-pr59-h9ph-3fr8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

protobufjs/protobuf.js (protobufjs-cli)

v1.3.2: protobufjs-cli: v1.3.2

Compare Source

Bug Fixes

• Backport consistency and correctness fixes (#​2294) (a92f72e)

v1.3.1: protobufjs-cli: v1.3.1

Compare Source

Bug Fixes

• Treat fixed64 as unsigned in converters (#​2266) (479dfdc)

v1.3.0: protobufjs-cli: v1.3.0

Compare Source

Features

• Support BigInt conversions (7.x) (#​2258) (f769242)

v1.2.2: protobufjs-cli: v1.2.2

Compare Source

Bug Fixes

• Update CLI peer dependency (7.x) (#​2189) (a0bf2df)

v1.2.1: protobufjs-cli: v1.2.1

Compare Source

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#​2173) (75392ea)

v1.2.0: protobufjs-cli: v1.2.0

Compare Source

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (1af8454)
• add feature resolution (a9ffc8a)
• add feature resolution for protobuf editions (547afa2)
• api_converters_editions tests added and run successfully" (b4b5ca4)
• increase size of file that protobufjs CLI can process (00d5f1a)
• increase size of file that protobufjs CLI can process (d36ef0f)

v1.1.3: protobufjs-cli: v1.1.3

Compare Source

Bug Fixes

• handle nullability for optional fields (59569c1)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: pprof@4.0.0
npm error Found: protobufjs@7.4.0
npm error node_modules/protobufjs
npm error   protobufjs@"~7.4.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer protobufjs@"^7.6.2" from protobufjs-cli@1.3.2
npm error node_modules/protobufjs-cli
npm error   dev protobufjs-cli@"1.3.2" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-16T17_41_46_694Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-16T17_41_46_694Z-debug-0.log