From d75a66690e4a5bf8b5378ae5be95abc345939d22 Mon Sep 17 00:00:00 2001
From: Florent Benoit <fbenoit@redhat.com>
Date: Mon, 20 Apr 2026 09:42:15 +0200
Subject: [PATCH] fix: resolve CVE-2026-41242 in protobufjs

Upgrade protobufjs to satisfy >=7.5.5
Advisory: https://github.com/advisories/GHSA-xq3m-2v4x-88gg

Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Florent Benoit <fbenoit@redhat.com>
---
 package.json   |  3 ++-
 pnpm-lock.yaml | 13 +++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/package.json b/package.json
index 54c15a45fbc..3e84ebbd236 100644
--- a/package.json
+++ b/package.json
@@ -229,7 +229,8 @@
       "ajv@^6": "^6.14.0",
       "ajv@^8": "^8.18.0",
       "electron-builder-squirrel-windows": "^26.8.2",
-      "svelte>devalue": "^5.6.4"
+      "svelte>devalue": "^5.6.4",
+      "protobufjs": "^7.5.5"
     },
     "patchedDependencies": {
       "docker-modem": "patches/docker-modem.patch"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 1882550d0c0..0253f196ecb 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -38,6 +38,7 @@ overrides:
   ajv@^8: ^8.18.0
   electron-builder-squirrel-windows: ^26.8.2
   svelte>devalue: ^5.6.4
+  protobufjs: ^7.5.5
 
 patchedDependencies:
   docker-modem:
@@ -10090,8 +10091,8 @@ packages:
   proto-list@1.2.4:
     resolution: {integrity: sha512-vtK/94akxsTMhe0/cbfpR+syPuszcuwhqVjJq26CuNDgFGj682oRBXOP5MJpv2r7JtE8MsiepGIqvvOTBwn2vA==}
 
-  protobufjs@7.5.4:
-    resolution: {integrity: sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==}
+  protobufjs@7.5.5:
+    resolution: {integrity: sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==}
     engines: {node: '>=12.0.0'}
 
   proxy-addr@2.0.7:
@@ -14813,14 +14814,14 @@ snapshots:
     dependencies:
       lodash.camelcase: 4.3.0
       long: 5.3.2
-      protobufjs: 7.5.4
+      protobufjs: 7.5.5
       yargs: 17.7.2
 
   '@grpc/proto-loader@0.8.0':
     dependencies:
       lodash.camelcase: 4.3.0
       long: 5.3.2
-      protobufjs: 7.5.4
+      protobufjs: 7.5.5
       yargs: 17.7.2
 
   '@hapi/hoek@9.3.0': {}
@@ -18982,7 +18983,7 @@ snapshots:
       '@grpc/grpc-js': 1.14.0
       '@grpc/proto-loader': 0.7.15
       docker-modem: 5.0.6(patch_hash=5c70d772609f3932e49bceba1d646d56a515d449a1304c39c12df33f16066a9e)
-      protobufjs: 7.5.4
+      protobufjs: 7.5.5
       tar-fs: 2.1.4
       uuid: 10.0.0
     transitivePeerDependencies:
@@ -23353,7 +23354,7 @@ snapshots:
 
   proto-list@1.2.4: {}
 
-  protobufjs@7.5.4:
+  protobufjs@7.5.5:
     dependencies:
       '@protobufjs/aspromise': 1.1.2
       '@protobufjs/base64': 1.1.2