fix: backport __proto__ prototype pollution fix to v7.x

[vasiliiperfilev]

Summary

Cherry-pick of #2126 (commit f05e3c3) onto the ProtoBuf7 branch.

The fix filters out __proto__ keys in the Message constructor to prevent prototype pollution (AIKIDO-2026-10467). This was merged to master and released in 8.0.1-experimental, but the 7.x line (latest 7.5.4) remains unpatched.

Many consumers are pinned to protobufjs ^7 via google-gax and the broader Google Cloud SDK ecosystem, and cannot upgrade to 8.x until those SDKs migrate. A 7.5.5 patch release would resolve the vulnerability for the entire ^7 ecosystem.

Changes

Single file: src/message.js — skip __proto__ key when iterating over properties in the Message constructor. Identical to #2126.

Request

Would it be possible to publish a 7.5.5 release from the ProtoBuf7 branch with this fix included?

[vasiliiperfilev]

@alexander-fenster could you please take a look?

[alexander-fenster]

Hi @vasiliiperfilev,

I will backport it, no problem, I just believe it's not the right branch you're sending this PR against. It's probably some older development branch. The latest 7.x tag is https://github.com/protobufjs/protobuf.js/tree/protobufjs-v7.5.4.

I won't be able to change your pull request to point to the right branch, so I'll just commit the fix directly :) Hope you don't mind.

[alexander-fenster]

I published https://www.npmjs.com/package/protobufjs/v/7.5.5 and tagged it here as https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5.

[vasiliiperfilev]

Thanks a lot!

[thomas-bw]

The release 7.5.5 doesn't appear in the CHANGELOG.md file. This means that dependabot can't show the changes either. Could you please add it there @alexander-fenster?

[alexander-fenster]

@thomas-bw I will whenever I merge any of the subsequent releases. As I said, with release-please, all non-HEAD releases need some manual labor (or maybe I don't know how to use the automation properly :) ).