fix(security): resolve 1 critical Socket.dev vulnerability (protobufjs)

@zen-agentchecks n/achecks…zen/socket-fix-critical-i72f9v → main1 files · +5 −15updated 3w ago

▸Description· 1 comment · 5 noise

Description

Resolves the critical protobufjs prototype-pollution vulnerability in this repo reported by Socket.dev. Lockfile-only change.

Vulnerabilities Fixed

Alert ID	Severity	Package	Fix
GHSA-xq3m-2v4x-88gg	critical	`protobufjs@7.5.4`	bumped to `7.5.5`

GHSA: https://github.com/advisories/GHSA-xq3m-2v4x-88gg

Applied via socket fix --id GHSA-xq3m-2v4x-88gg --no-major-updates. pnpm install --lockfile-only --fix-lockfile finalized the lockfile (1/1 workspaces were upgraded successfully).

How did I test this PR

socket fix reported pkg:npm/protobufjs@7.5.4 → 7.5.5 and 1/1 workspaces were upgraded successfully.
git diff pnpm-lock.yaml is scoped: protobufjs@7.5.4 → protobufjs@7.5.5 and a small amount of pnpm reformatting (deprecated metadata fields).
No package.json source changes.

Originally bundled, now reverted

This PR initially also bumped @hey-api/openapi-ts from ^0.77.0 to ^0.87.0 to drop the vulnerable transitive handlebars@4.7.8 (GHSA-2w6w-674q-4c4q). That bump caused the Playwright WebServer to fail to start because @hey-api/openapi-ts@0.87.x changed how runtimeConfigPath in openapi-ts.config.ts is interpreted — the generated apps/web/generated/client.gen.ts started emitting import { createClientConfig } from './lib/fe-api-client.ts' (sibling of the generated dir), which doesn't exist. The bump has been reverted from this PR.

Unresolved (out of scope for this run)

Alert ID	Severity	Package	Reason
GHSA-2w6w-674q-4c4q	critical	`handlebars@4.7.8` (transitive via `@hey-api/openapi-ts`)	Tracked in PR #933 (uses `pnpm.overrides` instead of bumping the parent package — safer for the generated codegen)
GHSA-rpr9-rxv7-x643	critical	`sanitize-html@2.17.0`	No patched version published yet (still vulnerable in latest 2.17.3)

Plus ~59 cve / obfuscatedFile alerts at high severity across transitive deps remain (handled in subsequent runs).

Auto-generated by Socket.dev security cron

Origin: cron-socket-tier1-weekly / zen-cron-9b6a4e268d91 Triggered by: saransh@composio.dev | Source: cron Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-cron-9b6a4e268d91

@zen-agent3w ago

Final status — Socket.dev security cron

After scoping the PR to only the protobufjs fix (force-push 57ae6064, see "Originally bundled, now reverted" in the PR body):

✅ CI: 7/9 checks PASSED (lint, typecheck, all Analyze jobs, test shards 2/4 and 3/4).
⚠️ test (4, 4): FAILED on the same pre-existing flaky tests that have been failing on next-based PRs since 2026-05-19 — e2e/tests/link/oauth-flow.spec.ts (should handle OAuth callback with error/success status, should follow external OAuth redirect) and e2e/tests/link/mobile-responsive.spec.ts (should handle portrait and landscape orientations).
- These exact tests also fail on PR #933 (a totally unrelated handlebars-only pnpm.overrides change) → root cause is not this PR; appears to be a backend/test-env regression after 2026-05-18's last green run.
test (1, 4): still in progress at the time of writing — also expected to hit the same flakes.
✅ Cursor Bugbot: no comments.
🟢 Codex review: skipped — final scope is a pure lockfile bump (protobufjs 7.5.4 → 7.5.5).

The protobufjs fix itself is sound and ready to merge once the pre-existing OAuth flaky tests are sorted out separately (or once the maintainer is happy to merge through them, since they're consistently flaky on all current PRs touching pnpm-lock.yaml).

▸ 5 bot/status comments hidden

@vercel[bot]3w ago

Someone is attempting to deploy this pull request to the Composio Team on Vercel.

No GitHub account was found matching the commit author email address.

To deploy this pull request, the commit author's email address needs to be associated with a GitHub account.

Learn more about how to change the commit author information.

@vercel[bot]3w ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
platform-frontend	Blocked		May 20, 2026 10:29am

@socket-security[bot]3w ago

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

loading diff…

@zen-agent3w ago

Final status — Socket.dev security cron

After scoping the PR to only the protobufjs fix (force-push 57ae6064, see "Originally bundled, now reverted" in the PR body):

✅ CI: 7/9 checks PASSED (lint, typecheck, all Analyze jobs, test shards 2/4 and 3/4).
⚠️ test (4, 4): FAILED on the same pre-existing flaky tests that have been failing on next-based PRs since 2026-05-19 — e2e/tests/link/oauth-flow.spec.ts (should handle OAuth callback with error/success status, should follow external OAuth redirect) and e2e/tests/link/mobile-responsive.spec.ts (should handle portrait and landscape orientations).
- These exact tests also fail on PR #933 (a totally unrelated handlebars-only pnpm.overrides change) → root cause is not this PR; appears to be a backend/test-env regression after 2026-05-18's last green run.
test (1, 4): still in progress at the time of writing — also expected to hit the same flakes.
✅ Cursor Bugbot: no comments.
🟢 Codex review: skipped — final scope is a pure lockfile bump (protobufjs 7.5.4 → 7.5.5).

fix(security): resolve 1 critical Socket.dev vulnerability (protobufjs)

Description

Vulnerabilities Fixed

How did I test this PR

Originally bundled, now reverted

Unresolved (out of scope for this run)

Description

Vulnerabilities Fixed

How did I test this PR

Originally bundled, now reverted

Unresolved (out of scope for this run)

Playwright Test Results

Playwright Test Results