Update protobufjs and eslint dependencies (fix CVE-2026-41242)#15
Update protobufjs and eslint dependencies (fix CVE-2026-41242)#15amodsachintha wants to merge 2 commits intoWhiskeySockets:masterfrom
Conversation
📝 WalkthroughWalkthroughThe pull request updates two npm dependencies in Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 23: The package.json bump sets "eslint": "10.2.1" (was v6) which may
introduce breaking config and compatibility changes; verify and update ESLint
configuration and document CVE rationale: confirm .eslintrc.json and
src/.eslintrc.json are compatible with ESLint v10 (or migrate them), run lint
across the repo to catch rule/plugin incompatibilities, update or pin any ESLint
plugins/extensions to versions compatible with v10, and add a PR note clarifying
why eslint is updated alongside protobufjs/CVE-2026-41242 (or split the eslint
upgrade into a separate PR if unrelated).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="package.json">
<violation number="1" location="package.json:16">
P1: The lockfile still pins `protobufjs` to 6.8.8, so the security upgrade in `package.json` may not take effect for Yarn-based installs.</violation>
<violation number="2" location="package.json:23">
P1: ESLint 10 completely removes support for `.eslintrc.*` configuration files (only `eslint.config.js` flat config is supported). This project uses `.eslintrc.json` and `src/.eslintrc.json`, so upgrading from v6 directly to v10 will break linting — ESLint will not find or load the existing configuration. Either migrate the config files to flat config format (`eslint.config.js`) or pin to ESLint 9 which still supports legacy config via `ESLINT_USE_FLAT_CONFIG=false`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
|
Bumped protobuf version (and eslint along with it) to fix the CVE our systems reported with Baileys. |
1 participant
Fix CVE-2026-41242
Summary by cubic
Upgrades
protobufjsto ^7.5.5 to fix CVE-2026-41242 and pinseslintto ^9 for updated linting. Updates the lockfile to resolve transitive dependencies.protobufjs: 6.8.8 → ^7.5.5 (security fix)eslint: 6.0.1 → ^9 (dev-only; lockfile resolves to 9.39.4)Written for commit 2d617e9. Summary will update on new commits.
Summary by CodeRabbit
Chores