@zen-agentchecks…zen/socket-fix-critical-1prhvm → main2 files · +17 −16updated 3w agoResolves the critical prototype pollution vulnerability in protobufjs (GHSA-xq3m-2v4x-88gg) reported by Socket.dev across this repository's workspaces.
| Alert ID | Severity | Package | Fix |
|---|---|---|---|
| GHSA-xq3m-2v4x-88gg | critical | protobufjs@7.5.4 | bumped to 7.5.5 in stacks/aws-production/package-lock.json and stacks/doppler/package-lock.json |
GHSA: https://github.com/advisories/GHSA-xq3m-2v4x-88gg
This was applied via socket fix --id GHSA-xq3m-2v4x-88gg --no-major-updates. Lockfiles were finalized with npm@11.10.0 install --package-lock-only --force --ignore-scripts. The top-level lockfile already has protobufjs@7.5.7 (newer, unaffected) and required no change.
socket fix --id GHSA-xq3m-2v4x-88gg ran end-to-end and reported pkg:npm/protobufjs@7.5.4 → 7.5.5.npm install --package-lock-only --force using npm 11.10.0 (matches the engine requirement in package.json).git diff is scoped only to the protobufjs entry in the two affected lockfiles.package.json changes; no runtime test suite available in this repo (only lint / discover scripts that hit live cloud APIs).The following Socket.dev high-severity CVEs remain open in this repo and are not addressed here (will be picked up by the next weekly run if still present):
cve alerts at high severity across various transitive dependencies.Auto-generated by Socket.dev security cron
Origin: cron-socket-tier1-weekly / zen-cron-9b6a4e268d91 Triggered by: saransh@composio.dev | Source: cron Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-cron-9b6a4e268d91
Final status — Socket.dev security cron
Ready for merge.