Security: bump protobufjs (currently 6.8.8) to address GHSA-xq3m-2v4x-88gg

[kaikybrofc]

Summary

@whiskeysockets/libsignal-node currently pins protobufjs to 6.8.8, which is flagged by npm audit as vulnerable to arbitrary code execution (GHSA-xq3m-2v4x-88gg).

Why this matters

Projects using Baileys (which depends on this library) inherit the critical advisory in security scans.

Current dependency

In @whiskeysockets/libsignal-node@2.0.1:

"dependencies": {
  "curve25519-js": "^0.0.4",
  "protobufjs": "6.8.8"
}

Advisory

• GHSA: GHSA-xq3m-2v4x-88gg
• Affected range: protobufjs < 7.5.5

Reproduction

Running npm audit in a project that pulls this dependency reports:

• protobufjs critical vulnerability
• transitively attributed to @whiskeysockets/libsignal-node

Suggested fix

Please bump the dependency from protobufjs@6.8.8 to a safe version (at least 7.5.5), validate compatibility, and release a new version.

Temporary workaround used downstream

We mitigated locally via npm overrides to force protobufjs@7.5.5, but an upstream fix/release would be ideal.

[kaikybrofc]

Thanks for the quick movement here.

I found this open PR that appears to address the dependency bump:

• Update protobufjs and eslint dependencies (fix CVE-2026-41242) #15

I suggest keeping this issue open until:

1. PR Update protobufjs and eslint dependencies (fix CVE-2026-41242) #15 is merged, and
2. a new libsignal-node release is published and consumable downstream.

At that point, downstream projects (including Baileys consumers) can remove temporary workarounds.

[kaikybrofc]

Small correction to avoid ambiguity from formatting in my previous comment:

Suggested closure criteria for this issue:

1. PR Update protobufjs and eslint dependencies (fix CVE-2026-41242) #15 is merged, and
2. a new libsignal-node release is published and available to downstream users.

After that, downstream projects should be able to remove temporary npm overrides used as a mitigation.