To report security concerns or vulnerabilities within protobuf-javascript, please use Google's official reporting channel:
https://www.google.com/appserve/security-bugs/m2/new