chore: main: update protobufjs to fix CVE-2026-41242 by kim-tsao · Pull Request #4745 · redhat-developer/rhdh

kim-tsao · 2026-05-01T19:21:55Z

Description

Please explain the changes you made here.

Which issue(s) does this PR fix

Fixes #?
Fix CVE-2026-41242 by adding bumping protobufjs to v7.5.6 and pinning its transitive dependency @protobufjs/inquire to v1.1.0 to avoid the following error:

app:  Error: Failed to compile '../../node_modules/protobufjs/node_modules/@protobufjs/inquire/index.js':
app:    Critical dependency: the request of a dependency is an expression

1.10 fix for https://redhat.atlassian.net/browse/RHIDP-13303

PR acceptance criteria

Please make sure that the following steps are complete:

GitHub Actions are completed and successful
Unit Tests are updated and passing
E2E Tests are updated and passing
Documentation is updated if necessary (requirement for new features)
Add a screenshot if the change is UX/UI related

How to test changes / Special notes to the reviewer

codecov · 2026-05-01T19:25:05Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.04%. Comparing base (5a6cf35) to head (aa328e6).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #4745       +/-   ##
===========================================
+ Coverage   40.98%   69.04%   +28.06%     
===========================================
  Files         119      118        -1     
  Lines        2223     4898     +2675     
  Branches      561      532       -29     
===========================================
+ Hits          911     3382     +2471     
- Misses       1306     1511      +205     
+ Partials        6        5        -1

Flag	Coverage Δ
install-dynamic-plugins	`92.44% <ø> (?)`
rhdh	`40.30% <ø> (-0.68%)`	⬇️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5a6cf35...aa328e6. Read the comment docs.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-05-01T19:36:09Z

The container image build workflow finished with status: failure.

github-actions · 2026-05-01T19:52:51Z

The container image build workflow finished with status: failure.

github-actions · 2026-05-04T01:58:00Z

The container image build workflow finished with status: failure.

Signed-off-by: Kim Tsao <ktsao@redhat.com>

github-actions · 2026-05-04T23:02:25Z

The container image build workflow finished with status: cancelled.

github-actions · 2026-05-04T23:18:18Z

The container image build workflow finished with status: failure.

Signed-off-by: Kim Tsao <ktsao@redhat.com>

sonarqubecloud · 2026-05-04T23:34:42Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2026-05-05T00:07:17Z

Image was built and published successfully. It is available at:

kim-tsao · 2026-05-05T10:48:00Z

/test e2e-ocp-helm

alizard0 · 2026-05-05T12:25:28Z

/test e2e-ocp-helm

kim-tsao · 2026-05-05T18:03:43Z

/retest

alizard0

/lgtm

kim-tsao · 2026-05-06T14:00:33Z

/retest

openshift-ci Bot requested review from rostalan and schultzp2020 May 1, 2026 19:22

kim-tsao mentioned this pull request May 4, 2026

chore: add a resolution to @backstage/backend-plugin-api #4756

Closed

5 tasks

kim-tsao force-pushed the main_protobufjs branch from c11a621 to acb605e Compare May 4, 2026 22:50

update protobufjs to 7.5.6 and pin @protobufjs/inquire to 1.1.0

0b2fbbd

Signed-off-by: Kim Tsao <ktsao@redhat.com>

kim-tsao force-pushed the main_protobufjs branch from acb605e to 0b2fbbd Compare May 4, 2026 23:02

add resolutions to dynamic plugins

aa328e6

Signed-off-by: Kim Tsao <ktsao@redhat.com>

kim-tsao changed the title ~~chore: main: update protobufjs to 7.5.5 to fix CVE-2026-41242~~ chore: main: update protobufjs to fix CVE-2026-41242 May 5, 2026

alizard0 approved these changes May 6, 2026

View reviewed changes

openshift-ci Bot assigned alizard0 May 6, 2026

openshift-ci Bot added the lgtm label May 6, 2026

alizard0 mentioned this pull request May 6, 2026

chore(deps): patch protobufjs to 7.5.5 or higher #4721

Closed

openshift-merge-bot Bot merged commit 6d1ace8 into redhat-developer:main May 6, 2026
23 checks passed

Conversation

kim-tsao commented May 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Which issue(s) does this PR fix

PR acceptance criteria

How to test changes / Special notes to the reviewer

Uh oh!

codecov Bot commented May 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions Bot commented May 1, 2026

Uh oh!

github-actions Bot commented May 1, 2026

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

sonarqubecloud Bot commented May 4, 2026

Quality Gate passed

Uh oh!

github-actions Bot commented May 5, 2026

Uh oh!

kim-tsao commented May 5, 2026

Uh oh!

alizard0 commented May 5, 2026

Uh oh!

kim-tsao commented May 5, 2026

Uh oh!

alizard0 left a comment

Choose a reason for hiding this comment

Uh oh!

kim-tsao commented May 6, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

kim-tsao commented May 1, 2026 •

edited

Loading

codecov Bot commented May 1, 2026 •

edited

Loading