chore(deps): resolve Dependabot vulnerabilities#131
Conversation
Drops the dapp from 1 critical + 11 high + 4 moderate to only LOW alerts, and removes the stray yarn.lock that was duplicating every alert on GitHub. - Remove yarn.lock: project uses npm (CI runs npm ci). Two lockfiles made Dependabot count each vuln across both, inflating the total. - Pin @creit.tech/stellar-wallets-kit to 1.5.0: 1.6+ and 2.x bundle near/solana/hot-wallet ecosystems (adding moderate vulns plus uuid/jayson) that the dapp never uses. It only registers Freighter/Albedo/WalletConnect. - Bump next 16.2.6 -> 16.2.9 and eslint-config-next 16.1.6 -> 16.2.9. - Add overrides for patched transitive deps: protobufjs ^7.6.4 (critical RCE), axios ^1.18.1 (auth bypass/SSRF), ws ^8.21.0 (DoS), ua-parser-js ^2.0.10 (ReDoS), postcss ^8.5.10 (XSS), brace-expansion ^2.0.2 (ReDoS). Remaining alerts are all LOW and currently unfixable: 14 trace to elliptic (GHSA-848j-6mx2-7j84) which has no patched release, pulled in by the wallet kit's Trezor/ripple support; 1 is @babel/core (dev-only, fix only in 8.x). Verified: next build compiles all routes, TypeScript clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis change updates package.json dependency versions: pins ChangesDependency updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Resolves the Dependabot alerts on the dapp. The default branch reports 80 alerts (2 critical, 37 high, 31 moderate, 10 low); most of that is inflation from a stray
yarn.lockthat made Dependabot count every vuln twice. After this PR the real surface drops to LOW only.npm audit: 26 (1 critical, 11 high, 4 moderate, 10 low) -> 15, all LOW.Changes
yarn.lock. CI runsnpm ci, so the project uses npm. Two lockfiles made Dependabot scan and count each vuln in both, roughly doubling the totals.@creit.tech/stellar-wallets-kitto1.5.0. Versions 1.6+ and 2.x bundle near/solana/hot-wallet ecosystems (adding moderate vulns plusuuid/jayson) that the dapp never uses. It only registers Freighter, Albedo, and WalletConnect.next16.2.6 to 16.2.9 andeslint-config-nextto match.overridesforcing patched transitive deps:protobufjs ^7.6.4(critical RCE, GHSA-xq3m-2v4x-88gg)axios ^1.18.1(auth bypass / SSRF / prototype pollution)ws ^8.21.0(DoS, memory disclosure)ua-parser-js ^2.0.10(ReDoS)postcss ^8.5.10(XSS)brace-expansion ^2.0.2(ReDoS)Remaining alerts (all LOW, currently unfixable)
elliptic(GHSA-848j-6mx2-7j84). There is no patched release; 6.6.1 is the latest and is itself flagged. It is pulled in transitively by the wallet kit's Trezor/ripple support.@babel/core(dev-only; the fix only exists in the breaking 8.x line).Clearing these would require removing wallet functionality, so they are left in place.
Verification
npm run buildcompiles all routes, TypeScript clean. No app code changed.Summary by CodeRabbit