Skip to content

chore(deps): resolve Dependabot vulnerabilities#131

Merged
JosueBrenes merged 1 commit into
mainfrom
chore/resolve-dependabot-vulns
Jun 30, 2026
Merged

chore(deps): resolve Dependabot vulnerabilities#131
JosueBrenes merged 1 commit into
mainfrom
chore/resolve-dependabot-vulns

Conversation

@JosueBrenes

@JosueBrenes JosueBrenes commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves the Dependabot alerts on the dapp. The default branch reports 80 alerts (2 critical, 37 high, 31 moderate, 10 low); most of that is inflation from a stray yarn.lock that made Dependabot count every vuln twice. After this PR the real surface drops to LOW only.

npm audit: 26 (1 critical, 11 high, 4 moderate, 10 low) -> 15, all LOW.

Changes

  • Remove yarn.lock. CI runs npm ci, so the project uses npm. Two lockfiles made Dependabot scan and count each vuln in both, roughly doubling the totals.
  • Pin @creit.tech/stellar-wallets-kit to 1.5.0. Versions 1.6+ and 2.x bundle near/solana/hot-wallet ecosystems (adding moderate vulns plus uuid/jayson) that the dapp never uses. It only registers Freighter, Albedo, and WalletConnect.
  • Bump next 16.2.6 to 16.2.9 and eslint-config-next to match.
  • Add overrides forcing patched transitive deps:
    • protobufjs ^7.6.4 (critical RCE, GHSA-xq3m-2v4x-88gg)
    • axios ^1.18.1 (auth bypass / SSRF / prototype pollution)
    • ws ^8.21.0 (DoS, memory disclosure)
    • ua-parser-js ^2.0.10 (ReDoS)
    • postcss ^8.5.10 (XSS)
    • brace-expansion ^2.0.2 (ReDoS)

Remaining alerts (all LOW, currently unfixable)

  • 14 trace to elliptic (GHSA-848j-6mx2-7j84). There is no patched release; 6.6.1 is the latest and is itself flagged. It is pulled in transitively by the wallet kit's Trezor/ripple support.
  • 1 is @babel/core (dev-only; the fix only exists in the breaking 8.x line).

Clearing these would require removing wallet functionality, so they are left in place.

Verification

npm run build compiles all routes, TypeScript clean. No app code changed.

Summary by CodeRabbit

  • Chores
    • Updated core app dependencies to newer versions, including the app framework and related tooling.
    • Tightened one wallet integration version to an exact release for consistency.
    • Added dependency pinning for several transitive packages to improve build stability and reduce version drift.

Drops the dapp from 1 critical + 11 high + 4 moderate to only LOW alerts,
and removes the stray yarn.lock that was duplicating every alert on GitHub.

- Remove yarn.lock: project uses npm (CI runs npm ci). Two lockfiles made
  Dependabot count each vuln across both, inflating the total.
- Pin @creit.tech/stellar-wallets-kit to 1.5.0: 1.6+ and 2.x bundle
  near/solana/hot-wallet ecosystems (adding moderate vulns plus uuid/jayson)
  that the dapp never uses. It only registers Freighter/Albedo/WalletConnect.
- Bump next 16.2.6 -> 16.2.9 and eslint-config-next 16.1.6 -> 16.2.9.
- Add overrides for patched transitive deps:
  protobufjs ^7.6.4 (critical RCE), axios ^1.18.1 (auth bypass/SSRF),
  ws ^8.21.0 (DoS), ua-parser-js ^2.0.10 (ReDoS), postcss ^8.5.10 (XSS),
  brace-expansion ^2.0.2 (ReDoS).

Remaining alerts are all LOW and currently unfixable: 14 trace to elliptic
(GHSA-848j-6mx2-7j84) which has no patched release, pulled in by the wallet
kit's Trezor/ripple support; 1 is @babel/core (dev-only, fix only in 8.x).

Verified: next build compiles all routes, TypeScript clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dapp Ready Ready Preview, Comment Jun 30, 2026 8:20pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 260b4035-35d4-4b02-b42a-013409977c1b

📥 Commits

Reviewing files that changed from the base of the PR and between 72bbe91 and 0c02dba.

⛔ Files ignored due to path filters (2)
  • package-lock.json is excluded by !**/package-lock.json
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

This change updates package.json dependency versions: pins @creit.tech/stellar-wallets-kit to an exact version, bumps next and eslint-config-next to 16.2.9, and introduces a top-level overrides section pinning postcss, axios, ua-parser-js, ws, protobufjs, and brace-expansion.

Changes

Dependency updates

Layer / File(s) Summary
Dependency version bumps and overrides
package.json
Pins stellar-wallets-kit to 1.5.0, bumps next and eslint-config-next to 16.2.9, and adds overrides for postcss, axios, ua-parser-js, ws, protobufjs, and brace-expansion.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Hop hop, the locks are tight and true,
Versions pinned in carrot stew. 🥕
No stray dependency dares to stray,
Overrides keep the chaos away.
A tidy burrow, package neat—
This bunny's build is now complete! 🐇

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/resolve-dependabot-vulns

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@JosueBrenes JosueBrenes merged commit 620a374 into main Jun 30, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant