chore(push): override protobufjs to ^7.6.4 (Dependabot)#7778
Merged
Conversation
Bumps the transitive protobufjs dependency (pulled in via firebase-admin -> @google-cloud/firestore -> google-gax/@grpc) from 7.5.x to 7.6.4 through an npm override, resolving: - GHSA high: DoS via unbounded Any expansion during JSON conversion - GHSA medium: schema-derived names can shadow runtime properties Parents require protobufjs ^7, so 7.6.4 is API-compatible. Only protobufjs and its own sub-deps (@protobufjs/*, long) change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the push plugin’s Node dependency resolution to force a patched protobufjs version, addressing Dependabot-reported vulnerabilities in a transitive dependency chain (via firebase-admin).
Changes:
- Add an npm
overridesentry inplugins/push/package.jsonto requireprotobufjs^7.6.4. - Regenerate
plugins/push/package-lock.jsonso the resolvedprotobufjsversion becomes7.6.4and related sub-deps align (@protobufjs/*,long).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| plugins/push/package.json | Adds an npm override to ensure protobufjs resolves to ^7.6.4 for the push plugin install. |
| plugins/push/package-lock.json | Updates the lockfile to resolve protobufjs@7.6.4 and associated dependency graph changes (including long). |
Files not reviewed (1)
- plugins/push/package-lock.json: Generated file
Cookiezaurs
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an npm
overridesentry pinning the transitive protobufjs dependency in the push plugin to^7.6.4, and regeneratesplugins/push/package-lock.json.Why
Resolves the two runtime-facing Dependabot alerts on the push plugin:
Anyexpansion during JSON conversion (vulnerable<= 7.6.0)<= 7.6.2)protobufjs is pulled in transitively via
firebase-admin -> @google-cloud/firestore -> google-gax / @grpc. Those parents require protobufjs^7, so7.6.4is API-compatible. The only lockfile changes are protobufjs itself and its own sub-deps (@protobufjs/*,long) — no unrelated churn.Scope note
The other 4 open Dependabot alerts are not addressed here by design — they are dev/test-only (
js-yaml,@babel/core) or build-time native-module tooling (tar, no 6.x backport / major-version jump). Those are intended to be dismissed as no-production-impact / tolerable-risk rather than patched.Testing
CI's
test-api-pluginsjob installs the push plugin (honoring the new override vianpm install) and runs the full push suite vianpx grunt mochaTest— letting CI verify protobufjs 7.6.4 doesn't break FCM compile/worker paths.🤖 Generated with Claude Code