Skip to content

fix: update critical security vulnerabilities in dependencies #115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: update critical security vulnerabilities in dependencies #115

wants to merge 1 commit into from
+1,906 −2,218

Conversation

@nkpar
Copy link

@nkpar nkpar commented Oct 30, 2025

Summary

This PR addresses 4 critical and high-severity security vulnerabilities in dependencies that could lead to private key compromise and wallet drainage.

Security Fixes

Critical Vulnerabilities Fixed

  1. elliptic (CRITICAL - CVSS 9.8)

    • Updated: ^6.6.1 (was <=6.6.0)
    • Issue: Private key extraction vulnerability when signing malformed input
    • Advisory: GHSA-vjh7-7g9h-fjfh

  2. form-data (CRITICAL)

    • Updated: ^4.0.4 (was <4.0.4)
    • Issue: Unsafe random function for boundary generation
    • Advisory: GHSA-fjxv-7rqg-78g4

High Severity Vulnerabilities Fixed

  1. axios (HIGH)

  2. ws (HIGH)

    • Updated: ^8.18.0 (was <7.5.10)
    • Issue: DoS when handling requests with many HTTP headers
    • Advisory: GHSA-3h5v-q93c-6h6q
    • Note: Upgraded to 8.x for better ESM support

Changes

  • Updated resolutions in package.json to force secure versions
  • Regenerated pnpm-lock.yaml with patched dependencies

Verification

All checks passed:

  • Build: All 5 packages compile successfully
  • Tests: 73 unit tests passing across 4 packages
  • TypeScript: No compilation errors
  • Security: No critical or high vulnerabilities remaining
# Verification commands
pnpm install
pnpm run build:packages
pnpm run compile
pnpm run test
pnpm audit

Impact

Before: Critical vulnerabilities could lead to:

  • Private key extraction and theft
  • Wallet drainage
  • SSRF, DoS, and CSRF attacks

After: All critical blockchain-specific vulnerabilities patched. Project is safe for production use with proper precautions.

Remaining Issues

6 moderate and 3 low severity issues remain (non-critical):

  • langchain <0.2.19 - Path traversal
  • next 15.2.4 - Image optimization issues
  • vite, jsondiffpatch - Dev dependencies

These can be addressed in a follow-up PR.

@nkpar
fix: update critical security vulnerabilities in dependencies
366ab95 
Updated dependency resolutions to patch critical and high severity vulnerabilities:

- elliptic: ^6.6.1 (was <=6.6.0) - Fixes private key extraction vulnerability
- form-data: ^4.0.4 (was <4.0.4) - Fixes unsafe random function in boundary generation
- axios: ^1.13.1 (was 0.24.0) - Fixes SSRF, DoS, and CSRF vulnerabilities
- ws: ^8.18.0 (was <7.5.10) - Fixes DoS vulnerability via excessive HTTP headers

All packages compile successfully and unit tests pass (73 tests across 4 packages).

Resolves critical security issues that could lead to private key compromise and wallet drainage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nkpar