From 072b20b73a17b76321aa025b8070b5d71243291a Mon Sep 17 00:00:00 2001
From: poorvapotnis <245047442+poorvapotnis@users.noreply.github.com>
Date: Thu, 16 Apr 2026 18:34:07 -0700
Subject: [PATCH] Bump protobufjs from 7.2.6 to 7.5.5

Fixes Dependabot alert #134 (arbitrary code execution in protobufjs).
protobufjs is pulled in transitively via @replit/protocol and
versions <7.5.5 allow attackers who can control protobuf definitions
to execute arbitrary JS during object decoding.

The @replit/protocol package declares protobufjs "^7.2.5" so no
downstream version constraints change; only the lockfile is updated.
---
 yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 95fe267..eff2c13 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7131,9 +7131,9 @@ prompts@^2.0.1:
     sisteransi "^1.0.5"
 
 protobufjs@^7.2.4:
-  version "7.2.6"
-  resolved "https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.6.tgz"
-  integrity sha512-dgJaEDDL6x8ASUZ1YqWciTRrdOuYNzoOf27oHNfdyvKqHr5i0FV7FSLU+aIeFjyFgVxrpTOtQUi0BLLBymZaBw==
+  version "7.5.5"
+  resolved "https://registry.yarnpkg.com/protobufjs/-/protobufjs-7.5.5.tgz#b7089ca4410374c75150baf277353ef76db69f96"
+  integrity sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==
   dependencies:
     "@protobufjs/aspromise" "^1.1.2"
     "@protobufjs/base64" "^1.1.2"