security: vulnerability remediation

[kernel-internal]

Vulnerability Remediation — 2026-05-20

Fixed

CVE	Package	Ecosystem	Old Version	New Version	Manifest
CVE-2026-41242	protobufjs	npm	7.5.4	7.6.0	pnpm-lock.yaml
CVE-2026-41242	protobufjs	npm	7.5.4	7.6.0	package-lock.json

Skipped (non-actionable)

Alert Type	Package	Severity	Reason
cve	handlebars	warn	CVE is in a development-only dependency (dev: true in lockfile), not a runtime production dependency.

Deferred (needs human review)

CVE	Package	Severity	Reason
(none)

---

Note

Low Risk
Low risk lockfile-only dependency update to remediate CVE-2026-41242, but could affect any code paths relying on protobuf serialization at runtime.

Overview
Updates npm dependency locks to remediate CVE-2026-41242 by bumping protobufjs from 7.5.4 to 7.6.0 (and associated @protobufjs/* transitive packages) in both package-lock.json and pnpm-lock.yaml.

Adds fix-result.json documenting the vulnerability fix outcome (2 fixed, 0 reverted).

^{Reviewed by Cursor Bugbot for commit 65aa2c2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR only updates dependencies in lockfiles; does not modify API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.