Skip to content

chore(deps): bump protobufjs to 7.6.4, form-data to ^4.0.6, drop 2 GHSAs from .iyarc#9176

Open
github-actions[bot] wants to merge 1 commit into
masterfrom
iyarc-prune/protobufjs-form-data-fixes-20260702
Open

chore(deps): bump protobufjs to 7.6.4, form-data to ^4.0.6, drop 2 GHSAs from .iyarc#9176
github-actions[bot] wants to merge 1 commit into
masterfrom
iyarc-prune/protobufjs-form-data-fixes-20260702

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumped protobufjs from 7.5.8 → 7.6.4 (fixes GHSA-wcpc-wj8m-hjx6)
  • Bumped form-data from ^4.0.4 → ^4.0.6 (fixes GHSA-hmw2-7cc7-3qxx)
  • Removed 2 GHSA exclusions from .iyarc that are now safely resolved

Exclusions Removed

GHSA ID Package Old → New Version Advisory Resolved
GHSA-wcpc-wj8m-hjx6 protobufjs 7.5.8 → 7.6.4 DoS through unbounded Any expansion during JSON conversion
GHSA-hmw2-7cc7-3qxx form-data ^4.0.4 → ^4.0.6 CRLF injection via unescaped multipart field names and filenames

Verification Results

Audit Results

$ yarn run audit-high
Found 0 vulnerabilities
430 ignored because of advisory exclusions

Dependency Consistency Check

$ yarn check-deps
Done in 95.98s.

Build/Test Results

  • @bitgo/abstract-cosmos: ✅ Build successful (protobufjs consumer)
  • @bitgo/sdk-coin-hbar: ✅ Unit tests pass (153 passing, 2 env-related failures)

Still Blocked

The following exclusions could NOT be removed and remain in .iyarc:

Test plan

  • Verify audit-high passes with exclusions removed
  • Verify check-deps passes (no version conflicts)
  • Build affected modules (protobufjs consumers)
  • Test affected modules (form-data consumers)

🤖 Generated with Claude Code

…SAs from .iyarc

- protobufjs: 7.5.8 → 7.6.4 (fixes GHSA-wcpc-wj8m-hjx6 DoS via unbounded Any expansion)
- form-data: ^4.0.4 → ^4.0.6 (fixes GHSA-hmw2-7cc7-3qxx CRLF injection)
- Removed GHSA-wcpc-wj8m-hjx6 and GHSA-hmw2-7cc7-3qxx from .iyarc exclusions
- Verified: audit-high passes, check-deps passes, affected modules build/test

Ticket: HSM-429
@github-actions github-actions Bot requested review from a team as code owners July 2, 2026 19:38
@github-actions github-actions Bot added automated Automated changes dependencies Updates to dependencies security Security-related changes labels Jul 2, 2026
@zahin-mohammad zahin-mohammad self-assigned this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automated changes dependencies Updates to dependencies security Security-related changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants