Skip to content

[Snyk] Security upgrade onnxruntime-web from 1.14.0 to 1.16.0#12171

Open
sestinj wants to merge 1 commit intomainfrom
snyk-fix-1dc0e4fbbad49d9dd6778fd3c4f70836
Open

[Snyk] Security upgrade onnxruntime-web from 1.14.0 to 1.16.0#12171
sestinj wants to merge 1 commit intomainfrom
snyk-fix-1dc0e4fbbad49d9dd6778fd3c4f70836

Conversation

@sestinj
Copy link
Copy Markdown
Contributor

@sestinj sestinj commented Apr 18, 2026
edited by cubic-dev-ai Bot
Loading

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • core/vendor/modules/@xenova/transformers/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
critical severity Arbitrary Code Injection
SNYK-JS-PROTOBUFJS-16094665		   843  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection

Summary by cubic

Upgrade onnxruntime-web from 1.14.0 to 1.16.0 in vendored @xenova/transformers to fix a critical arbitrary code injection vulnerability in protobufjs (SNYK-JS-PROTOBUFJS-16094665). Dependency-only change; no functional code updates.

Written for commit fad801f. Summary will update on new commits.

@sestinj sestinj requested a review from a team as a code owner April 18, 2026 11:30
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Apr 18, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@continue
Copy link
Copy Markdown
Contributor

continue Bot commented Apr 18, 2026

Docs Review: No documentation updates needed.

This PR is a security patch that upgrades onnxruntime-web from 1.14.0 to 1.16.0 in a vendored dependency. This is an internal dependency change with no impact on user-facing APIs, configuration, or functionality—so no docs changes are required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sestinj @snyk-bot