Skip to content

fix: Security updates and dependency modernization by Claude #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jacmos3 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: Security updates and dependency modernization by Claude #1

jacmos3 wants to merge 2 commits into from

Conversation

@jacmos3
Copy link
Owner

@jacmos3 jacmos3 commented Jan 22, 2026

Summary

  • Smart contracts: Fixed ERC20 transferFrom return value checks, replaced transfer() with call() for ETH withdrawals
  • Dependencies: Migrated from web3.js to ethers.js v6, truffle/ganache to hardhat, WalletConnect v1 to v2
  • Vulnerabilities: Reduced from 110 (30 critical, 33 high) to 21 (all low severity with no upstream fix)
  • Node.js: Added engine requirement >= 18.17.0 for Next.js 14 compatibility

Changes

  • Converted all React class components to functional components with hooks
  • Updated all wallet connection code to use @web3modal/ethers hooks
  • Added npm overrides for transitive dependency vulnerabilities
  • Removed unused firebase dependency
  • Fixed various import and typo issues

Remaining 21 low vulnerabilities

All from dependencies with no upstream fix available:

  • elliptic - used by hardhat and walletconnect
  • tmp - used by solc (hardhat dependency)

Test plan

  • Run npm install with Node.js >= 18.17.0
  • Run npm run build to verify Next.js build
  • Run npx hardhat compile to verify smart contract compilation
  • Test wallet connection flow in browser

🤖 Generated with Claude Code

jacmos3 and others added 2 commits January 22, 2026 15:04
@jacmos3 @claude
fix: security vulnerabilities and dependency updates
6d2ae20 
## Security Fixes (Smart Contracts)
- LittleTraveler.sol: Add ERC20 transferFrom return check, replace transfer() with call()
- DonateDirectDAO.sol: Replace transfer() with call() in withdraw()
- TeamBoostly.sol: Fix variable shadowing (name/symbol)

## Dependency Updates (110 → 42 vulnerabilities, 30 → 0 critical)
- Migrate from web3 to ethers v6
- Migrate from web3modal to @web3modal/ethers v4 (WalletConnect v2)
- Replace truffle/ganache with hardhat
- Update Next.js 11 → 14, React 17 → 18
- Update tailwindcss 2 → 3

## Frontend Refactoring
- Convert class components to functional components with hooks
- Add proper error handling and input validation
- Remove deprecated imports and fix typos

## New Files
- hardhat.config.js - Hardhat configuration
- next.config.js - Next.js 14 configuration
- context/Web3Modal.js - Web3Modal provider
- .env.example - Environment variables template

## Removed (deprecated)
- ethereum/web3.js
- ethereum/compile.js

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@jacmos3 @claude
fix: additional security updates - reduce vulnerabilities to 21 low s…
5656d2b 
…everity

- Revert to @web3modal/ethers v5 (appkit had ESM/CommonJS issues)
- Add npm override for @coinbase/wallet-sdk (fixes high severity CVE)
- Upgrade Next.js to ^14.2.35 (fixes high severity CVEs)
- Add Node.js engine requirement (>=18.17.0)
- Remaining 21 low vulnerabilities are from elliptic/tmp (no upstream fix)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacmos3