@zen-agentchecks…zen/socket-fix-critical-3g2341 → main1 files · +6 −6updated 3w agoResolves the critical prototype pollution vulnerability in protobufjs (GHSA-xq3m-2v4x-88gg) reported by Socket.dev. protobufjs is used transitively in this app (via @opentelemetry/*, @grpc/proto-loader, etc.).
| Alert ID | Severity | Package | Fix |
|---|---|---|---|
| GHSA-xq3m-2v4x-88gg | critical | protobufjs@7.5.4 | bumped to 7.5.5 |
GHSA: https://github.com/advisories/GHSA-xq3m-2v4x-88gg
Applied via socket fix --id GHSA-xq3m-2v4x-88gg --no-major-updates. This is a lockfile-only change.
socket fix ran and reported pkg:npm/protobufjs@7.5.4 → 7.5.5.pnpm install --lockfile-only finalization was skipped in CI because the sandbox lacks NPM_TOKEN to read @composio/db from the private GitHub Packages registry. The textual lockfile bump is correct (all four protobufjs: 7.5.4 references and the package definition itself updated to 7.5.5).pnpm install with the correct token, which will validate the lockfile.cve / obfuscatedFile alerts at high severity remain across transitive deps.Auto-generated by Socket.dev security cron
Origin: cron-socket-tier1-weekly / zen-cron-9b6a4e268d91 Triggered by: saransh@composio.dev | Source: cron Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-cron-9b6a4e268d91
Final status — Socket.dev security cron
dd79c99 — the snapshot block now keeps the full set of @protobufjs/*, long, and @types/node dependencies (verified identical between 7.5.4 and 7.5.5 via npm view).Ready for merge.
Someone is attempting to deploy this pull request to the Composio Team on Vercel.
No GitHub account was found matching the commit author email address.
To deploy this pull request, the commit author's email address needs to be associated with a GitHub account.
Learn more about how to change the commit author information.
[!CAUTION] Review the following alerts detected in dependencies.
According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.