Environment details
- Package name:
@google-cloud/datastore
- Affected version:
10.1.1
The problem
The datastore-v10.1.1 release (2026-05-11) is tagged on GitHub, but the version was never published to npm. The npm version list ends at 10.1.0, and the latest dist-tag still points at 10.1.0.
Why this matters
10.1.1 includes "Upgrade protobufjs and fix legacy key decoding in Datastore" (#8088), which moves protobufjs onto a release that fixes CVE-2026-41242 (High severity — RCE in protobufjs, GHSA-xq3m-2v4x-88gg, fixed in protobufjs@7.5.5+; CVSS scores vary across advisories). @google-cloud/datastore@10.1.0 still declares protobufjs 7.4.0, so consumers who cannot apply their own dependency override remain on the vulnerable range until 10.1.1 reaches npm.
Request
Please publish @google-cloud/datastore@10.1.1 to npm so the protobufjs fix is consumable through normal dependency resolution.
Environment details
@google-cloud/datastore10.1.1The problem
The
datastore-v10.1.1release (2026-05-11) is tagged on GitHub, but the version was never published to npm. The npm version list ends at10.1.0, and thelatestdist-tag still points at10.1.0.Why this matters
10.1.1includes "Upgrade protobufjs and fix legacy key decoding in Datastore" (#8088), which moves protobufjs onto a release that fixes CVE-2026-41242 (High severity — RCE in protobufjs, GHSA-xq3m-2v4x-88gg, fixed inprotobufjs@7.5.5+; CVSS scores vary across advisories).@google-cloud/datastore@10.1.0still declaresprotobufjs 7.4.0, so consumers who cannot apply their own dependency override remain on the vulnerable range until10.1.1reaches npm.Request
Please publish
@google-cloud/datastore@10.1.1to npm so the protobufjs fix is consumable through normal dependency resolution.