LTS-2885: pin protobufjs to 7.6.4 (fix GHSA-xq3m-2v4x-88gg RCE)

[anupam-s-20]

Context

ticket - https://browserstack.atlassian.net/browse/LTS-2885
Dependabot flagged a critical arbitrary-code-execution vulnerability in protobufjs (GHSA-xq3m-2v4x-88gg, tracked internally as LTS-2885). The advisory: malicious type names in a protobuf schema definition can break out of protobufjs' runtime code generation and execute arbitrary JS during decode.

This repo's package-lock.json resolves protobufjs@7.5.3, which is < 7.5.5 and therefore vulnerable.

protobufjs is not a direct dependency — the sample's own code only uses @playwright/test. It comes in transitively through the BrowserStack SDK:

browserstack-node-sdk
  └─ @google-cloud/compute / @google-cloud/container / @grpc/proto-loader
       └─ google-gax
            └─ protobufjs

Because it's transitive, Dependabot couldn't auto-open a bump PR — it needs an overrides pin, which is the same mechanism this repo already uses for qs, jws, tar-fs, etc.

Change

• package.json: add "protobufjs": "7.6.4" to the existing overrides block
• package-lock.json: regenerated so the pin takes effect (lockfileVersion 2 preserved)

7.6.4 is the latest 7.x and is semver-compatible with the ^7.2.5 / ^7.3.2 constraints already in the tree.

Impact

Pinning to 7.6.4 resolves not just the critical GHSA-xq3m-2v4x-88gg but all open protobufjs advisories on this repo in one bump (#31 plus #38–#43, which need ≥ 7.5.6). After merge to main, Dependabot re-scans and auto-resolves these alerts, closing LTS-2885.

Verification

• protobufjs resolves to 7.6.4; dependency tree resolves cleanly with the override.
• Lockfile churn is contained to the protobufjs family only (protobufjs + its @protobufjs/* helpers; @protobufjs/inquire dropped). No unrelated packages changed.
• Scope is the protobufjs fix only — unrelated drift (test @sample tags, Semgrep pin) intentionally left out.