Critical CVE GHSA-xq3m-2v4x-88gg Patched in Cesium Engine's protobufjs Dependency

A critical security vulnerability enabling arbitrary code execution has been patched within the CesiumJS project's dependency chain. The flaw, tracked as CVE GHSA-xq3m-2v4x-88gg, resided in the `protobufjs` library, a core component for data serialization used by `@cesium/engine`. Versions below 7.5.5 were exposed, creating a potential remote attack vector for any application built on the affected engine.

The fix was implemented by forcing a full lockfile resolution, updating the vulnerable `protobufjs` from version 7.5.4 to the patched 7.5.5. This update fell within the existing semantic versioning range (`^7.1.0`), meaning no changes to `package.json` or API surfaces were required. The remediation was confined to the `pnpm-lock.yaml` file, a technical but critical adjustment that directly closes the security hole without disrupting the project's functional architecture.

Post-patch validation confirms the vulnerability is now resolved. A `rush audit` scan returns zero high or critical vulnerabilities, and standard change verification processes were deemed unnecessary. While full build and test cycles are deferred to continuous integration pipelines, the immediate lockfile update represents a contained but essential security hardening for a widely-used 3D geospatial visualization library, mitigating a significant risk to downstream applications.