fix(deps): pin tmp/follow-redirects/ws via overrides (audit 16->12)#19
Conversation
…2 moderate) overrides block (no @theQRL change, no --force): tmp 0.0.33->0.2.7 (HIGH GHSA-52f5-9888-hmc6 + GHSA-ph9p-34f9-6g65, via solc@0.8.34), follow-redirects 1.15.11->1.16.0 (moderate GHSA-r4q5-vmmm-2653, via solc), ws 8.20.0->8.21.0 (moderate GHSA-58qx-3vcg-4xpx, via @theqrl/web3-providers-ws). Audit 16 -> 12. Gate: forge build (exit 0) + forge test (187 passing) + npm compile (byte-identical solc 0.8.34 output). @theqrl/web3 1.0 + wallet.js 6 DEFERRED: forge tests Solidity only; deploy/integration JS scripts need a live RPC + funded wallet to validate.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies (follow-redirects, tmp, and ws) to newer, secure versions in package-lock.json and adds corresponding overrides in package.json. However, the defined overrides specify minimum versions that are lower than the secure versions resolved in the lockfile, which could allow vulnerable versions to be installed. It is recommended to update the overrides to match the minimum secure versions.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "overrides": { | ||
| "tmp": "^0.2.6", | ||
| "follow-redirects": "^1.15.12", | ||
| "ws": "^8.20.1" | ||
| } |
There was a problem hiding this comment.
The overrides in package.json specify minimum versions that are lower than the secure versions resolved in package-lock.json:
ws: The vulnerability fix is in8.21.0(as noted in the PR description), but the override allows^8.20.1which could resolve to a vulnerable version.follow-redirects: The fix is in1.16.0, but the override allows^1.15.12.tmp: The resolved version is0.2.7, but the override allows^0.2.6.
To ensure that npm always resolves to the secure, tested versions (even during future dependency updates or lockfile regeneration), please update the overrides to match the minimum secure versions.
| "overrides": { | |
| "tmp": "^0.2.6", | |
| "follow-redirects": "^1.15.12", | |
| "ws": "^8.20.1" | |
| } | |
| "overrides": { | |
| "tmp": "^0.2.7", | |
| "follow-redirects": "^1.16.0", | |
| "ws": "^8.21.0" | |
| } |
…, follow-redirects ^1.16.0, tmp ^0.2.7)
Uncommitted drift from the scenario-2 Hetzner deploy (PR #19 covered the ansible side; this is the terraform half): - contract vars: drop rewards_oracle/operator_registry (retired in v2), add validator_manager; defaults now the live Q-prefixed v2.2 addresses from config/testnet-hyperion.json - SSH key: look up pre-existing project key by fingerprint instead of creating one - server types: cpx31/21/11 retired by Hetzner; move to cpx32/22 - monitoring node off by default (primary-IP quota: 2); reuse node #1 - per-module hcloud required_providers pin (~> 1.45); datacenter -> location on hcloud_server; terraform fmt across the tree - gitignore terraform state/tfvars, .env.*, and the generated ansible inventory.ini (real host IPs; template stays tracked)
1 participant
overridespins (no--force, no @theQRL change): tmp 0.0.33->0.2.7 (HIGH symlink + path-traversal via solc@0.8.34), follow-redirects 1.15.11->1.16.0 (moderate GHSA-r4q5-vmmm-2653 via solc), ws 8.20.0->8.21.0 (moderate GHSA-58qx-3vcg-4xpx via @theqrl/web3-providers-ws). Audit 16 -> 12 (1 high + 2 moderate cleared; 12 low remain).Gate:
forge build(exit 0) +forge test(187 passing) +npm run compile(byte-identical solc 0.8.34 output). Solidity unaffected — pins are JS-tooling only.Deferred:
@theqrl/web3 1.0 + wallet.js 6— forge tests Solidity only; the deploy/integration JS scripts (web3.qrl.Contract,sendTransaction,seedToAccount...) need a live RPC + funded wallet to validate, and CLAUDE.md notes v0.4 behavioral quirks (fromPlanck, non-auto-binding contract wallet). Recommend as a separate deploy-validated PR.