From 61c8fc6389a31407f8816d9d717c31e6e138f46a Mon Sep 17 00:00:00 2001 From: moscowchill Date: Thu, 4 Jun 2026 00:06:15 +0200 Subject: [PATCH 1/2] fix(deps): pin tmp/follow-redirects/ws via overrides (clear 1 high + 2 moderate) overrides block (no @theqrl change, no --force): tmp 0.0.33->0.2.7 (HIGH GHSA-52f5-9888-hmc6 + GHSA-ph9p-34f9-6g65, via solc@0.8.34), follow-redirects 1.15.11->1.16.0 (moderate GHSA-r4q5-vmmm-2653, via solc), ws 8.20.0->8.21.0 (moderate GHSA-58qx-3vcg-4xpx, via @theqrl/web3-providers-ws). Audit 16 -> 12. Gate: forge build (exit 0) + forge test (187 passing) + npm compile (byte-identical solc 0.8.34 output). @theqrl/web3 1.0 + wallet.js 6 DEFERRED: forge tests Solidity only; deploy/integration JS scripts need a live RPC + funded wallet to validate. --- package-lock.json | 34 ++++++++++------------------------ package.json | 5 +++++ 2 files changed, 15 insertions(+), 24 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0150a84..9742e5c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1223,9 +1223,9 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.11", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", - "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", + "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", "dev": true, "funding": [ { @@ -1568,16 +1568,6 @@ } } }, - "node_modules/os-tmpdir": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz", - "integrity": "sha512-D2FR03Vir7FIu45XBY20mTb+/ZSWB00sjU9jdQXt83gDrI4Ztz5Fs7/yy74g2N5SVQY4xY1qDr4rNddwYRVX0g==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/possible-typed-array-names": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/possible-typed-array-names/-/possible-typed-array-names-1.1.0.tgz", @@ -1669,16 +1659,13 @@ } }, "node_modules/tmp": { - "version": "0.0.33", - "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz", - "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==", + "version": "0.2.7", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz", + "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==", "dev": true, "license": "MIT", - "dependencies": { - "os-tmpdir": "~1.0.2" - }, "engines": { - "node": ">=0.6.0" + "node": ">=14.14" } }, "node_modules/tr46": { @@ -1744,11 +1731,10 @@ } }, "node_modules/ws": { - "version": "8.20.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz", - "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", - "peer": true, "engines": { "node": ">=10.0.0" }, diff --git a/package.json b/package.json index 1a4c3e0..b9ba849 100644 --- a/package.json +++ b/package.json @@ -28,5 +28,10 @@ }, "devDependencies": { "solc": "^0.8.34" + }, + "overrides": { + "tmp": "^0.2.6", + "follow-redirects": "^1.15.12", + "ws": "^8.20.1" } } From 0acef942487338184e132eedfb10028911ab49aa Mon Sep 17 00:00:00 2001 From: moscowchill Date: Thu, 4 Jun 2026 08:40:22 +0200 Subject: [PATCH 2/2] address review: bump override floors to resolved versions (ws ^8.21.0, follow-redirects ^1.16.0, tmp ^0.2.7) --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index b9ba849..8cc1f65 100644 --- a/package.json +++ b/package.json @@ -30,8 +30,8 @@ "solc": "^0.8.34" }, "overrides": { - "tmp": "^0.2.6", - "follow-redirects": "^1.15.12", - "ws": "^8.20.1" + "tmp": "^0.2.7", + "follow-redirects": "^1.16.0", + "ws": "^8.21.0" } }