chore(deps): update dependency protobufjs-cli to v1.2.1 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs-cli	1.2.0 → 1.2.1

---

protobuf.js is Vulnerable to OS Command Injection in the CLI

CVE-2026-42290 / GHSA-f84p-cvgm-xgjj

More information

Details

Summary

pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.

Impact

An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.

This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.

Preconditions

• The application or user must invoke pbts on file paths influenced by an attacker.
• The attacker must be able to supply or create a path containing shell-significant characters.
• The vulnerable pbts version must execute the generated JSDoc command through a shell.

Workarounds

Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.

Severity

• CVSS Score: 7.8 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2
• https://nvd.nist.gov/vuln/detail/CVE-2026-42290
• https://github.com/advisories/GHSA-f84p-cvgm-xgjj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

protobuf.js: Code injection in pbjs static output from crafted schema names

CVE-2026-44295 / GHSA-6r35-46g8-jcw9

More information

Details

Summary

pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization.

Impact

An attacker who can provide or influence schemas passed to pbjs may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code would run if the generated file is later executed or imported by the application or build process.

This affects the protobufjs CLI static code generation path. Applications that only use trusted schemas, or that do not execute generated output from untrusted schemas, are not directly affected.

Preconditions

• The application or build process must run pbjs static code generation on a schema or JSON descriptor influenced by an attacker.
• The attacker-controlled input must contain crafted schema names that reach generated JavaScript output.
• The generated JavaScript file must subsequently be executed, imported, or otherwise evaluated.

Workarounds

Do not run affected versions of pbjs static code generation on untrusted schemas or descriptors. If untrusted schemas must be accepted, validate schema names before code generation and run generation in an isolated environment.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2
• https://nvd.nist.gov/vuln/detail/CVE-2026-44295
• https://github.com/advisories/GHSA-6r35-46g8-jcw9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

protobufjs/protobuf.js (protobufjs-cli)

v1.2.1: protobufjs-cli: v1.2.1

Compare Source

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#​2173) (75392ea)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates several dependencies across the project's lock files, including package-lock.json, pnpm-lock.yaml, and yarn.lock. Key changes include moving prettier to production dependencies, upgrading protobufjs-cli to version 1.2.1, and updating various @babel components and the semver package. I have no feedback to provide.

[gcf-merge-on-green]

Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun