wip #409

PatrickAlphaC · 2025-05-21T00:17:13Z

No description provided.

socket-security · 2025-05-21T00:17:55Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Quality	Maintenance
	@reown/appkit-polyfills@1.7.6
	@walletconnect/jsonrpc-provider@1.0.13 ⏵ 1.0.14		^-4
	@walletconnect/jsonrpc-ws-connection@1.0.13 ⏵ 1.0.16	⁺¹	^-5
	@walletconnect/jsonrpc-http-connection@1.0.7 ⏵ 1.0.8	⁺¹	^-3
	@walletconnect/heartbeat@1.2.1 ⏵ 1.2.2		^-3
	@walletconnect/relay-api@1.0.9 ⏵ 1.0.11	⁺¹	^-3
	@walletconnect/logger@2.0.1 ⏵ 2.1.2	⁺¹
	derive-valtio@0.1.0
	@walletconnect/relay-auth@1.0.4 ⏵ 1.1.0	⁺¹	⁺¹
	@walletconnect/types@2.10.2 ⏵ 2.20.1	⁺¹	⁺¹
	@reown/appkit-pay@1.7.6
	@walletconnect/utils@2.10.2 ⏵ 2.20.1		⁺²
	stream-shift@1.0.1 ⏵ 1.0.3	⁺¹	⁺¹
	@reown/appkit-adapter-ethers5@1.7.6
	@walletconnect/core@2.10.2 ⏵ 2.20.1	⁺¹	⁺¹
	@reown/appkit-common@1.7.6
	@reown/appkit-utils@1.7.6
	isows@1.0.6
	@reown/appkit@1.7.6
	@reown/appkit-wallet@1.7.6
	@walletconnect/sign-client@2.10.2 ⏵ 2.20.1	⁺¹	⁺¹	⁺¹
	uncrypto@0.1.3
See 48 more rows in the dashboard

View full report

socket-security · 2025-05-21T00:17:57Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		`@reown/walletkit@1.2.4` has Unstable ownership. Author: reown-npm-org From: package.json → `npm/@reown/walletkit@1.2.4` ℹ Read more on: This package \| This alert \| What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/walletkit@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`@coinbase/wallet-sdk@4.3.0` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@coinbase/wallet-sdk@4.3.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@coinbase/wallet-sdk@4.3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`@reown/appkit-controllers@1.7.6` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@reown/appkit-controllers@1.7.6` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/appkit-controllers@1.7.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`@reown/appkit-pay@1.7.6` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@reown/appkit-pay@1.7.6` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/appkit-pay@1.7.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`@reown/walletkit@1.2.4` has Network access. Module: globalThis["fetch"] Location: Package overview From: package.json → `npm/@reown/walletkit@1.2.4` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/walletkit@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`@walletconnect/utils@2.20.1` has Network access. Module: globalThis["fetch"] Location: Package overview From: package.json → `npm/@walletconnect/utils@2.20.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@walletconnect/utils@2.20.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`@walletconnect/utils@2.20.2` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@walletconnect/universal-provider@2.20.2` → `npm/@walletconnect/utils@2.20.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@walletconnect/utils@2.20.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`crossws@0.3.5` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/crossws@0.3.5` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/crossws@0.3.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`node-fetch-native@1.6.6` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/node-fetch-native@1.6.6` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/node-fetch-native@1.6.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`ofetch@1.4.1` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/ofetch@1.4.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ofetch@1.4.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`ox@0.6.7` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/ox@0.6.7` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ox@0.6.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`ox@0.6.9` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@reown/appkit@1.7.6` → `npm/ox@0.6.9` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ox@0.6.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`unstorage@1.16.0` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/unstorage@1.16.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/unstorage@1.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`viem@2.23.2` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/viem@2.23.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/viem@2.23.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`viem@2.30.0` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@reown/appkit@1.7.6` → `npm/viem@2.30.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/viem@2.30.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

wip

8633e22

PatrickAlphaC mentioned this pull request May 21, 2025

Wallet Connect is outdated #408

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

wip #409

wip #409

Uh oh!

PatrickAlphaC commented May 21, 2025

Uh oh!

socket-security bot commented May 21, 2025

Uh oh!

socket-security bot commented May 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

wip #409

Are you sure you want to change the base?

wip #409

Uh oh!

Conversation

PatrickAlphaC commented May 21, 2025

Uh oh!

socket-security bot commented May 21, 2025

Uh oh!

socket-security bot commented May 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant