fix(deps): update dependency protobufjs to v7.2.5 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobufjs (source)	7.0.0 -> 7.2.5

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v7.2.5

Compare Source

Bug Fixes

• crash in comment parsing (#​1890) (eaf9f0a)
• deprecation warning for new Buffer (#​1905) (e93286e)
• possible infinite loop when parsing option (#​1923) (f2a8620)

v7.2.4

Compare Source

Bug Fixes

• do not let setProperty change the prototype (#​1899) (e66379f)

v7.2.3

Compare Source

Bug Fixes

• type names can be split into multiple tokens (#​1877) (8817ee6)

v7.2.2

Compare Source

Bug Fixes

• do not allow to extend same field twice to prevent the error (#​1784) (14f0536)

v7.2.1

Compare Source

Bug Fixes

• cli: fix relative path to Google pb files (#​1859) (e42eea4)
• Revert "fix: error should be thrown" (4489fa7)
• use bundled filename to fix common pb includes (#​1860) (dce9a2e)
• use ES5 style function syntax (#​1830) (64e8936)

v7.2.0

Compare Source

Features

• cli: generate static files at the granularity of proto messages (#​1840) (32f2d6a)

Bug Fixes

• error should be thrown (#​1817) (e7a3489)

v7.1.2

Compare Source

Bug Fixes

• types: nested object can be a oneof (#​1812) (119d90a)

v7.1.1

Compare Source

Bug Fixes

• add import long to the generated .d.ts (#​1802) (7c27b5a)
• generate valid js code for aliased enum values (#​1801) (7120e93)

v7.1.0

Compare Source

Features

• accept unknown enum values in fromObject (#​1793) (ef24ae4)
• valuesOptions for enums (#​1358) (bb6b1d4)

Bug Fixes

• deps: update dependency glob to v8 (#​1750) (8303a64)
• extensions broke oneof (#​1789) (d7f501c)
• remove unused @types/long (#​1785) (0f4af83)
• support for nested messages and enums within group blocks (#​1790) (f36d4e4)
• types: update type deps (#​1776) (d87978b)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.