Skip to content

fix: upgrade protobufjs to 6.11.6#2986

Draft
lochie wants to merge 13 commits into
mainfrom
lochiea/family-647-vanta-remediate-critical-vulnerabilities-identified-in
Draft

fix: upgrade protobufjs to 6.11.6#2986
lochie wants to merge 13 commits into
mainfrom
lochiea/family-647-vanta-remediate-critical-vulnerabilities-identified-in

Conversation

@lochie
Copy link
Copy Markdown
Contributor

@lochie lochie commented May 18, 2026
edited
Loading

Resolves CVE-2026-41242 by forcing protobufjs to patched version 6.11.6. The vulnerability was present in protobufjs <7.5.5, and is backported to 6.x via the 6.11.6 release. This maintains API compatibility with existing consumers that depend on protobufjs ^6.x via @cowprotocol/cow-sdk."

Fixes Dependabot alert: https://github.com/aave/interface/security/dependabot/161

General Changes

  • Resolves "protobufjs": "^6.11.6"
  • Fixes broken clsx import in Link component

Reviewer Checklist

Please ensure you, as the reviewer(s), have gone through this checklist to ensure that the code changes are ready to ship safely and to help mitigate any downstream issues that may occur.

  • End-to-end tests are passing without any errors
  • Code changes do not significantly increase the application bundle size
  • If there are new 3rd-party packages, they do not introduce potential security threats
  • If there are new environment variables being added, they have been added to the .env.example file as well as the pertinant .github/actions/* files
  • There are no CI changes, or they have been approved by the DevOps and Engineering team(s)

@lochie
fix: upgrade protobufjs to 6.11.6
3912c83 
Resolves CVE-2026-41242 by forcing protobufjs to patched version 6.11.6.
The vulnerability was present in protobufjs <7.5.5, and is backported to
6.x via the 6.11.6 release. This maintains API compatibility with existing
consumers that depend on protobufjs ^6.x via @cowprotocol/cow-sdk."
@linear
Copy link
Copy Markdown

linear Bot commented May 18, 2026

FAMILY-647

@vercel
Copy link
Copy Markdown

vercel Bot commented May 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
interface Error Error May 18, 2026 9:52am

Request Review

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026
edited
Loading

Dependency Review

The following issues were found:

  • ❌ 1 vulnerable package(s)
  • ⚠️ 24 packages with OpenSSF Scorecard issues.

View full job summary

forhau
forhau previously approved these changes May 18, 2026
View reviewed changes
@lochie
fix: pin types
3172fdd 
resolve react@types from version * from other dependencies
lochie added 3 commits May 18, 2026 17:57
@lochie
Revert "fix: build errors"
ae7af17 
This reverts commit caba08b.
@lochie
Revert "fix: pin types"
79370ca 
This reverts commit 3172fdd.
@lochie
Revert "fix: types"
6db1d1b 
This reverts commit 845abfd.
@lochie lochie marked this pull request as draft May 18, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@forhau forhau forhau left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lochie @forhau @sammdec