Skip to content

fix(deps): vuln unstable upgrades — 20 packages (unstable: 1 · minor: 10 · patch: 9) [src/currencyservice]#54

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/npm/currencyservice/0-1781532572
Open

fix(deps): vuln unstable upgrades — 20 packages (unstable: 1 · minor: 10 · patch: 9) [src/currencyservice]#54
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/npm/currencyservice/0-1781532572

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 30 packages upgraded (UNSTABLE changes included)

Manifests changed:

  • src/currencyservice (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.1.1 7.6.4 minor Transitive 3 CRITICAL, 4 HIGH, 4 MEDIUM
@grpc/grpc-js 1.8.0 1.14.4 minor Direct 2 HIGH, 2 MEDIUM
@opentelemetry/sdk-node 0.34.0 0.219.0 unstable Direct 1 HIGH
@grpc/proto-loader 0.7.4 0.8.1 unstable Direct -
@opentelemetry/sdk-trace-base 1.8.0 2.8.0 major Direct -
@opentelemetry/api 1.3.0 1.9.1 minor Direct -
@opentelemetry/context-async-hooks 1.8.0 1.30.1 minor Transitive -
@opentelemetry/core 1.0.0 1.30.1 minor Transitive -
@opentelemetry/exporter-zipkin 1.8.0 1.30.1 minor Transitive -
@opentelemetry/propagator-b3 1.8.0 1.30.1 minor Transitive -
@opentelemetry/propagator-jaeger 1.8.0 1.30.1 minor Transitive -
@opentelemetry/resources 1.0.0 1.30.1 minor Transitive -
@opentelemetry/sdk-metrics 1.8.0 1.30.1 minor Transitive -
@opentelemetry/sdk-trace-base 1.8.0 1.30.1 minor Direct -
@opentelemetry/sdk-trace-node 1.8.0 1.30.1 minor Transitive -
@opentelemetry/semantic-conventions 1.0.0 1.41.1 minor Transitive -
@types/node 18.11.9 18.19.130 minor Transitive -
acorn 8.8.1 8.17.0 minor Transitive -
debug 4.3.4 4.4.3 minor Transitive -
escalade 3.1.1 3.2.0 minor Transitive -
long 5.2.1 5.3.2 minor Transitive -
@grpc/proto-loader 0.7.4 0.7.15 patch Direct -
@opentelemetry/core 1.0.0 1.0.1 patch Transitive -
@opentelemetry/resources 1.0.0 1.0.1 patch Transitive -
@opentelemetry/semantic-conventions 1.0.0 1.0.1 patch Transitive -
@types/node 18.11.9 18.11.19 patch Transitive -
acorn 8.8.1 8.8.2 patch Transitive -
debug 4.3.4 4.3.7 patch Transitive -
escalade 3.1.1 3.1.2 patch Transitive -
long 5.2.1 5.2.5 patch Transitive -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (10 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.1.1 8.0.1
protobufjs CVE-2023-36665 CRITICAL - 7.1.1 -
protobufjs GHSA-h755-8qp9-cq85 CRITICAL protobufjs Prototype Pollution vulnerability 7.1.1 7.2.5
@grpc/grpc-js GHSA-5375-pq7m-f5r2 HIGH @grpc/grpc-js: A malformed request can cause a server crash 1.8.0 1.9.16
@grpc/grpc-js GHSA-99f4-grh7-6pcq HIGH @grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash 1.8.0 1.9.16
@opentelemetry/sdk-node GHSA-q7rr-3cgh-j5r3 HIGH Prometheus exporter process crash via malformed HTTP request 0.34.0 0.217.0
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.1.1 7.5.6
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.1.1 7.5.6
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.1.1 7.5.6
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.1.1 7.5.6
ℹ️ Other Vulnerabilities (6)
Package CVE Severity Summary Unsafe Version Fixed In
@grpc/grpc-js CVE-2024-37168 MODERATE @grpc/grpc-js can allocate memory for incoming messages well above configured limits 1.8.0 -
@grpc/grpc-js GHSA-7v5v-9h63-cj86 MODERATE @grpc/grpc-js can allocate memory for incoming messages well above configured limits 1.8.0 1.10.9
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.1.1 7.5.6
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.1.1 7.5.8
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.1.1 7.5.6
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.1.1 7.5.6

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review June 16, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-high-severity adms-major-update adms-medium-severity adms-mode-all-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants