fix(openclaw): bump protobufjs to >=7.5.5 (GHSA-xq3m-2v4x-88gg)

[kk2211]

Linked Issue

N/A — security advisory remediation. Reported via Slack: bump npm protobufjs to >=7.5.5 to address GHSA-xq3m-2v4x-88gg / CVE-2026-41242.

Description

openclaw/pnpm-lock.yaml was resolving protobufjs@7.5.4, which is vulnerable to GHSA-xq3m-2v4x-88gg — code injection via malicious protobuf type fields (CVSS 9.4, CWE-94). Fixed in 7.5.5.

protobufjs is a transitive dependency: @mem0/openclaw-mem0 → mem0ai → @google/genai@1.45.0 → protobufjs. Since it isn't a direct dep, the minimal-blast-radius fix is a pnpm.overrides constraint pinning vulnerable ranges to a patched version.

Changes

• openclaw/package.json — adds:

  "pnpm": {
    "overrides": {
      "protobufjs@<7.5.5": "^7.5.5"
    }
  }

• openclaw/pnpm-lock.yaml — regenerated. protobufjs now resolves to 7.5.6 (patched).

No source changes; no public API changes.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature
• Breaking change
• Refactor
• Documentation update

Breaking Changes

None. protobufjs@7.5.6 is semver-compatible with 7.5.4 (the consumer is @google/genai, which declares protobufjs as a runtime dep without a tight version pin).

Test Coverage

• Added/updated unit tests
• Added/updated integration tests
• Tested manually
• No tests needed

Verified locally in openclaw/:

Step	Result
pnpm install	✅ override applied; protobufjs@7.5.6 in lockfile; no 7.5.4 references remain
pnpm run build	✅ tsup build success (ESM + DTS)
pnpm run test	✅ 420/420 tests passing across 15 test files

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have added tests that prove my fix/feature works (existing test suite verifies no regressions)
• New and existing tests pass locally
• I have updated documentation if needed (N/A)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!