chore(deps): update dependency protobufjs to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobufjs (source)	6.11.3 -> 7.2.4

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v7.2.4

Compare Source

Bug Fixes

• do not let setProperty change the prototype (#​1899) (e66379f)

v7.2.3

Compare Source

Bug Fixes

• type names can be split into multiple tokens (#​1877) (8817ee6)

v7.2.2

Compare Source

Bug Fixes

• do not allow to extend same field twice to prevent the error (#​1784) (14f0536)

v7.2.1

Compare Source

Bug Fixes

• cli: fix relative path to Google pb files (#​1859) (e42eea4)
• Revert "fix: error should be thrown" (4489fa7)
• use bundled filename to fix common pb includes (#​1860) (dce9a2e)
• use ES5 style function syntax (#​1830) (64e8936)

v7.2.0

Compare Source

Features

• cli: generate static files at the granularity of proto messages (#​1840) (32f2d6a)

Bug Fixes

• error should be thrown (#​1817) (e7a3489)

v7.1.2

Compare Source

Bug Fixes

• types: nested object can be a oneof (#​1812) (119d90a)

v7.1.1

Compare Source

Bug Fixes

• add import long to the generated .d.ts (#​1802) (7c27b5a)
• generate valid js code for aliased enum values (#​1801) (7120e93)

v7.1.0

Compare Source

Features

• accept unknown enum values in fromObject (#​1793) (ef24ae4)
• valuesOptions for enums (#​1358) (bb6b1d4)

Bug Fixes

• deps: update dependency glob to v8 (#​1750) (8303a64)
• extensions broke oneof (#​1789) (d7f501c)
• remove unused @types/long (#​1785) (0f4af83)
• support for nested messages and enums within group blocks (#​1790) (f36d4e4)
• types: update type deps (#​1776) (d87978b)

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• drop support for Node 4, 6, 8, 10 (#​1764)
• move command line tool to a new package named protobufjs-cli (#​1234)
• encoding of empty Buffers (#​1514)

Features

• add --no-service option for pbjs static target (#​1577) (d01394a)
• add alt-comment CLI option (#​1692) (7558ef0)
• add configurable Root.prototype.fetch (ad3cffd)
• add getTypeUrl method to generated code (#​1463) (d13d5d5)
• add null-defaults option (#​1611) (6e713ba)
• add support for buffer configuration (#​1372) (101aa1a)
• allow message.getTypeUrl provide custom typeUrlPrefix (#​1762) (8aad1dd)
• better comment parse (#​1419) (7fd2e18)
• move command line tool to a new package named protobufjs-cli (#​1234) (da34f43)
• parsed options (#​1256) (7a25398)
• prepare initial publication of cli (#​1752) (64811d5)
• proto3 optional support (#​1584) (6c4d307)
• support parsing of complex options (#​1744) (b1746a8)
• update dependencies / general cleanup (#​1356) (42f49b4)

Bug Fixes

• allow for an optional semicolon where there is an optional comma in parseOptionValue (#​1571) (af1b449)
• allow Windows unc paths to be resolved and normalized (#​1351) (cd4aeda)
• deps: patch minimatch vulnerability (#​1704) (bac61b8)
• deps: update dependency long to v5 (#​1751) (dadc65e)
• deps: use eslint 8.x (#​1728) (fa01883)
• do not fail if no process (#​1440) (f2faa8c)
• do not let setProperty change the prototype (#​1731) (3357ef7)
• docs: update CHANGELOG to match format of release-please (#​1376) (15ed8a0)
• drop support for Node 4, 6, 8, 10 (#​1764) (50370dd)
• encoding of empty Buffers (#​1514) (b4cae07), closes #​1500 #​885
• es6 export enum (#​1446) (9f33784)
• fix util.global (#​1441) (742b8dc)
• fromObject should not initialize oneof members (#​1597) (90afe44)
• google.protobuf.Any type_url fixes (#​1068) (192f5f1)
• handling of map entries with omitted key or value (#​1348) (b950877)
• handling properly fields with leading and trailing comments after field with trailing comment (#​1593) (9011aac)
• make node detection a bit more forgiving (#​1445) (4e75f6d)
• make parsedOptions appear in method JSON representation (#​1506) (3d29969)
• proper relative path to protobufjs in cli (#​1753) (a1d6029)
• properly parse empty messages in options (#​1429) (7fbc79f)
• proto3 optional scalars should default to null in reflection API (#​1693) (d9144de)
• replace deprecated String.prototype.substr() (#​1701) (e33a84a)
• scope variable for map field to avoid redeclaration (#​1717) (#​1718) (1d3c02a)
• support for options with repeated_value: [ "foo", "bar" ] (#​1574) (f5b893c)
• typo in pbjs help text (#​1552) (7f46dbe)
• update minimal.js to evade override mistake (#​1742) (e2f33a0)
• updated isNode check (#​1221) (#​1363) (5564e7b)
• utf8 -> utf16 decoding bug on surrogate pairs (#​1486) (75172cd)

6.10.2 (2020-11-13)

Bug Fixes

• es6 export enum (#​1446) (9f33784)
• make parsedOptions appear in method JSON representation (#​1506) (3d29969)
• utf8 -> utf16 decoding bug on surrogate pairs (#​1486) (75172cd)

6.10.1 (2020-07-16)

Bug Fixes

• make node detection a bit more forgiving (#​1445) (4e75f6d)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov-commenter]

Codecov Report

Merging #1106 (69bc42c) into master (d46c889) will increase coverage by 0.04%.
The diff coverage is n/a.

❗ Current head 69bc42c differs from pull request most recent head 6404c5d. Consider uploading reports for the commit 6404c5d to get more accurate results

@@            Coverage Diff             @@
##           master    #1106      +/-   ##
==========================================
+ Coverage   95.56%   95.60%   +0.04%     
==========================================
  Files         153      153              
  Lines       10924    10924              
  Branches     1042     1042              
==========================================
+ Hits        10439    10444       +5     
+ Misses        485      480       -5     

see 2 files with indirect coverage changes

[aabmass]

This is only in a dev dependency and does not affect the published NPM packages.