Bump protobufjs from 8.0.0 to 8.0.1 in /tests/ctst#2386
Bump protobufjs from 8.0.0 to 8.0.1 in /tests/ctst#2386dependabot[bot] wants to merge 1 commit intodevelopment/2.14from
Conversation
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 8.0.0 to 8.0.1. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v8.0.0...protobufjs-v8.0.1) --- updated-dependencies: - dependency-name: protobufjs dependency-version: 8.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Hello dependabot[bot],My role is to assist you with the merge of this Available options
Available commands
Status report is not available. The following options are set: bypass_author_approval, bypass_jira_check |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: bypass_author_approval, bypass_jira_check |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Dependency Bump Evaluation
Version change: 8.0.0 -> 8.0.1 (patch)
Semver bump type: patch
Changes:
- Guard oneof index for non-Type parents in descriptor
- Do not allow setting
__proto__in Message constructor (prototype pollution fix) - Filter invalid characters from type name
- Bump CLI package protobufjs dependency version
- Correct JSON syntax in tsconfig.json
- Update transitive dependency
tmpto v0.2.4 (security)
Breaking changes: None
Security concerns: None — this release improves security by fixing a prototype pollution vector (__proto__ in Message constructor) and updating a transitive dependency (tmp) for a security fix. The npm new releaser flag refers to Alexander Fenster (fenster), a long-standing Google protobuf maintainer — not a supply chain concern.
Impact on codebase: protobufjs is an optional transitive dependency of @platformatic/kafka. No direct imports or usage of protobufjs found in the tests/ctst/ source code. The only file changed is yarn.lock.
Recommendation: SAFE TO MERGE
— Claude Code
|
Looks like protobufjs is no longer a dependency, so this is no longer needed. |
ConflictThere is a conflict between your branch Please resolve the conflict on the feature branch ( git fetch && \
git checkout origin/dependabot/npm_and_yarn/tests/ctst/protobufjs-8.0.1 && \
git merge origin/development/2.14Resolve merge conflicts and commit git push origin HEAD:dependabot/npm_and_yarn/tests/ctst/protobufjs-8.0.1The following options are set: bypass_author_approval, bypass_jira_check |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/tests/ctst/protobufjs-8.0.1
branch
1 participant
Bumps protobufjs from 8.0.0 to 8.0.1.
Release notes
Sourced from protobufjs's releases.
Changelog
Sourced from protobufjs's changelog.
Commits
6559b3dchore: release master (#2129)042f81dchore(deps): update dependency tmp to v0.2.4 [security] (#2091)8065625fix: correct json syntax in tsconfig.json (#2120)1cac5cffix(descriptor): guard oneof index for non-Type parents (#2122)549b05efix: bump protobufjs dependency version for cli package (#2128)535df44fix: filter invalid characters from the type name (#2127)f05e3c3fix: do not allow setting proto in Message constructor (#2126)Maintainer changes
This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.