Skip to content

fix(deps): bump protobufjs, @grpc/grpc-js, tar-fs to remediate CVEs#4

Merged
daniel-xbow merged 1 commit into
masterfrom
fix/bump-vulnerable-npm-deps
Jul 7, 2026
Merged

fix(deps): bump protobufjs, @grpc/grpc-js, tar-fs to remediate CVEs#4
daniel-xbow merged 1 commit into
masterfrom
fix/bump-vulnerable-npm-deps

Conversation

@xbow-bot

Copy link
Copy Markdown

Summary

Regenerate package-lock.json to pull in fixed releases of three direct dependencies, remediating Trivy-reported CVEs. The fixed versions all satisfy the existing semver ranges in package.json, so no package.json change was needed.

Package Before After CVEs fixed
protobufjs 7.3.2 7.6.4 CVE-2026-41242 (CRITICAL, arbitrary code execution), CVE-2026-44289/44290/44291/44293, CVE-2026-48712
@grpc/grpc-js 1.11.1 1.14.4 CVE-2026-48068, CVE-2026-48069 (server/client crash)
tar-fs 2.1.2 2.1.5 CVE-2025-48387, CVE-2025-59343 (path traversal / symlink validation bypass)

Changes

  • package-lock.json only — regenerated via npm update within the existing ranges (^7.3.2, ^1.11.1, ~2.1.2). No suppression/.trivyignore file added.

Testing

npm test was run. The dockerode suite requires a live Docker daemon; in this CI environment without /var/run/docker.sock, the Docker-backed tests fail with connect ENOENT /var/run/docker.sock (and cascades), which is pre-existing/environmental and unrelated to this dependency bump. The non-Docker tests (constructors, auth, util parsing) pass.

Generated by Claude Code Service (see job).
Respond to this PR with the prefix "Claude: " to trigger an action on this PR.

Regenerate package-lock.json within the existing semver ranges to pull in
fixed releases:
- protobufjs 7.3.2 -> 7.6.4 (CVE-2026-41242, -44289/44290/44291/44293, -48712)
- @grpc/grpc-js 1.11.1 -> 1.14.4 (CVE-2026-48068, CVE-2026-48069)
- tar-fs 2.1.2 -> 2.1.5 (CVE-2025-48387, CVE-2025-59343)

All three are direct dependencies and the fixed versions satisfy the
existing ranges in package.json, so no package.json change is required.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@daniel-xbow daniel-xbow merged commit 6e92756 into master Jul 7, 2026
14 checks passed
@daniel-xbow daniel-xbow deleted the fix/bump-vulnerable-npm-deps branch July 7, 2026 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants