Update dependency protobufjs to v6.11.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobufjs (source)	6.10.2 → 6.11.4

GitHub Vulnerability Alerts

CVE-2022-25878

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
2. by parsing/loading .proto files

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v6.11.4

Compare Source

v6.11.3

Compare Source

6.11.3 (2022-05-20)

Bug Fixes

• deps: use eslint 8.x (#​1728) (a8681ce)
• do not let setProperty change the prototype (#​1731) (b5f1391)

v6.11.2

Compare Source

6.11.2 (2021-04-30)

• regenerated index.d.ts to fix the unintended breaking change in types.

v6.11.1

Compare Source

6.11.1 (2021-04-29)

Bug Fixes

• parse.js "parent.add(oneof)“ error (@​leon776) (#​1602)

v6.11.0

Compare Source

6.11.0 (2021-04-28)

Features

• support for proto3 optional fields (@​alexander-fenster) (#​1584)
• add --no-service option for pbjs (@​mdouglass) (#​1577)

Bug Fixes

• do not assign oneof members to default values, use null instead (@​alexander-fenster) (#​1597)

Dependencies

• set @types/node to >= 13.7.0 in dependencies (@​indutny) (#​1575)

v6.10.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.