Bump protobufjs from 7.6.0 to 7.6.3 in /js/node

[maoger]

Description

Bumps the protobufjs lockfile entry used by onnxruntime-node from 7.6.0 to 7.6.3. The lockfile also updates @protobufjs/eventemitter from 1.1.0 to 1.1.1, matching protobufjs 7.6.3 dependency metadata.

No package.json range change is needed because the existing ^7.2.4 range already permits 7.6.3.

Motivation and Context

GHSA-f38q-mgvj-vph7 / CVE-2026-54269 reports that protobufjs versions <=7.6.2 are affected by schema-derived names that can shadow runtime-significant properties and make affected processing paths unusable. Version 7.6.3 is the patched 7.x release.

PR #29061 already updated /js/web to protobufjs 7.6.3, but /js/node/package-lock.json still pinned protobufjs 7.6.0. This change brings the Node.js package lockfile in line with the patched version.

Validation:

pm ci in js/node

pm run prepare in js/node

pm audit --json in js/node returned 0 vulnerabilities

pm ls protobufjs @protobufjs/eventemitter --depth=0 shows protobufjs@7.6.3

• Loaded ./test/ort-schema/protobuf/onnx.js with protobufjs/minimal

pm test was attempted. It prepared the Node.js test data and then stopped because the local tree does not have the native binding js/node/bin/napi-v6/win32/x64/onnxruntime_binding.node; this requires a local native build and is unrelated to the protobufjs lockfile update.

[maoger]

Closing to review the change in the fork first.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

• js/node/package-lock.json: Generated file