[Snyk] Security upgrade protobufjs from 6.11.3 to 7.5.5#764
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-16094665
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| @@ -26,6 +26,6 @@ | |||
| "dependencies": { | |||
| "bytebuffer": "^5.0.1", | |||
| "long": "^4.0.0", | |||
There was a problem hiding this comment.
🔴 long dependency not updated from v4 to v5 to match protobufjs v7's requirement
protobufjs v7.5.5 declares a dependency on long@^5.0.0 (verified via npm view protobufjs@7.5.5 dependencies), but hd-transport still has "long": "^4.0.0" at line 28. Since ^4.0.0 resolves to >=4.0.0 <5.0.0, these ranges are mutually exclusive, causing two separate copies of long to be installed. The code at packages/hd-transport/src/index.ts:2 does import * as Long from 'long' (resolving to long v4) and then at packages/hd-transport/src/index.ts:14 sets protobuf.util.Long = Long, feeding protobufjs v7 a Long v4 constructor when it was designed around Long v5. While the core Long API (.toNumber(), .toString(), fromBits, etc.) is similar between v4 and v5, this is an incomplete migration that duplicates the long package in the bundle and risks subtle incompatibilities in the 64-bit integer serialization path used by packages/hd-transport/src/serialization/protobuf/decode.ts:21-28.
| "long": "^4.0.0", | |
| "long": "^5.0.0", |
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/hd-transport/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-PROTOBUFJS-16094665
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Arbitrary Code Injection