Skip to content

chore(deps): bump protobufjs to 7.6.4, form-data to ^4.0.6, drop 2 GHSAs from .iyarc#9176

Open
github-actions[bot] wants to merge 1 commit into
masterfrom
iyarc-prune/protobufjs-form-data-fixes-20260702
Open

chore(deps): bump protobufjs to 7.6.4, form-data to ^4.0.6, drop 2 GHSAs from .iyarc#9176
github-actions[bot] wants to merge 1 commit into
masterfrom
iyarc-prune/protobufjs-form-data-fixes-20260702

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumped protobufjs from 7.5.8 → 7.6.4 (fixes GHSA-wcpc-wj8m-hjx6)
  • Bumped form-data from ^4.0.4 → ^4.0.6 (fixes GHSA-hmw2-7cc7-3qxx)
  • Removed 2 GHSA exclusions from .iyarc that are now safely resolved

Exclusions Removed

GHSA ID Package Old → New Version Advisory Resolved
GHSA-wcpc-wj8m-hjx6 protobufjs 7.5.8 → 7.6.4 DoS through unbounded Any expansion during JSON conversion
GHSA-hmw2-7cc7-3qxx form-data ^4.0.4 → ^4.0.6 CRLF injection via unescaped multipart field names and filenames

Verification Results

Audit Results

$ yarn run audit-high
Found 0 vulnerabilities
430 ignored because of advisory exclusions

Dependency Consistency Check

$ yarn check-deps
Done in 95.98s.

Build/Test Results

  • @bitgo/abstract-cosmos: ✅ Build successful (protobufjs consumer)
  • @bitgo/sdk-coin-hbar: ✅ Unit tests pass (153 passing, 2 env-related failures)

Still Blocked

The following exclusions could NOT be removed and remain in .iyarc:

Test plan

  • Verify audit-high passes with exclusions removed
  • Verify check-deps passes (no version conflicts)
  • Build affected modules (protobufjs consumers)
  • Test affected modules (form-data consumers)

🤖 Generated with Claude Code

…SAs from .iyarc

- protobufjs: 7.5.8 → 7.6.4 (fixes GHSA-wcpc-wj8m-hjx6 DoS via unbounded Any expansion)
- form-data: ^4.0.4 → ^4.0.6 (fixes GHSA-hmw2-7cc7-3qxx CRLF injection)
- Removed GHSA-wcpc-wj8m-hjx6 and GHSA-hmw2-7cc7-3qxx from .iyarc exclusions
- Verified: audit-high passes, check-deps passes, affected modules build/test

Ticket: HSM-429
@github-actions github-actions Bot requested review from a team as code owners July 2, 2026 19:38
@github-actions github-actions Bot added automated Automated changes dependencies Updates to dependencies security Security-related changes labels Jul 2, 2026
@zahin-mohammad zahin-mohammad self-assigned this Jul 2, 2026

@danielpeng1 danielpeng1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

protobufjs bumped here #9189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automated changes dependencies Updates to dependencies security Security-related changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants