Skip to content

Fix/ledger session usb#803

Open
ByteZhang1024 wants to merge 4 commits into
onekeyfrom
fix/ledger-session-usb
Open

Fix/ledger session usb#803
ByteZhang1024 wants to merge 4 commits into
onekeyfrom
fix/ledger-session-usb

Conversation

@ByteZhang1024
Copy link
Copy Markdown
Contributor

@ByteZhang1024 ByteZhang1024 commented May 24, 2026

No description provided.

@revan-zhang
Copy link
Copy Markdown
Contributor

revan-zhang commented May 24, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 24, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm cipher-base is missing type checks, leading to hash rewind and passing on crafted data

CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL)

Affected versions: < 1.0.5

Patched version: 1.0.5

From: ?npm/ripple-keypairs@1.3.0npm/cipher-base@1.0.4

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cipher-base@1.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL)

Affected versions: < 6.6.1

Patched version: 6.6.1

From: ?npm/ripple-keypairs@1.3.0npm/elliptic@6.5.4

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Arbitrary code execution in npm protobufjs

CVE: GHSA-xq3m-2v4x-88gg Arbitrary code execution in protobufjs (CRITICAL)

Affected versions: >= 8.0.0 < 8.0.1; < 7.5.5

Patched version: 7.5.5

From: ?npm/@onekeyfe/hd-common-connect-sdk@1.1.15npm/protobufjs@6.11.4

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/protobufjs@6.11.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: npm sha.js is missing type checks leading to hash rewind and passing on crafted data

CVE: GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data (CRITICAL)

Affected versions: < 2.4.12

Patched version: 2.4.12

From: ?npm/ripple-keypairs@1.3.0npm/sha.js@2.4.11

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: ?npm/cheerio@1.0.0-rc.12npm/entities@4.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: ?npm/nextra@4.6.0npm/entities@6.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

originalix
originalix reviewed May 25, 2026
View reviewed changes
Comment thread packages/hwk-ledger-adapter/src/adapter/LedgerAdapter.ts Outdated
originalix
originalix reviewed May 25, 2026
View reviewed changes
Comment thread packages/hwk-ledger-adapter/src/connector/LedgerConnectorBase.ts Outdated
@ByteZhang1024 ByteZhang1024 mentioned this pull request May 25, 2026
Merged
@ByteZhang1024 ByteZhang1024 force-pushed the fix/ledger-session-usb branch from ff7a6e1 to 85eeac7 Compare May 25, 2026 04:55
originalix
originalix reviewed May 26, 2026
View reviewed changes
Comment thread packages/hwk-ledger-adapter/src/adapter/LedgerAdapter.ts Outdated
@ByteZhang1024
fix(ledger): enforce USB single-session and reject multi-device
12a971c 
Harden Ledger USB session/connection handling so multi-Ledger or replug
scenarios can't route calls to the wrong device:

- Reject multiple USB devices instead of auto-selecting by ephemeral path
  (new DeviceOneDeviceOnly error; added to ORPHAN_ELIGIBLE_ERROR_CODES so a
  batch aborts on it).
- ensureConnected does the ambient first-session fallback only when the
  caller passed no connectId; an explicit miss re-resolves THAT device.
- Make device-state subscription setup fatal: on failure, disconnect the
  just-created DMK session so no ghost entry leaks into _sessions.
- Evict any pre-existing session before opening a new USB connection.

Scope: Ledger-only (hwk-ledger-adapter / hwk-adapter-core). Does not touch
the OneKey SDK stack.
@ByteZhang1024
fix(ledger): enforce single-USB only on auto-connect, not at discovery
3a2eb45 
Addresses review feedback on multi-USB handling:
- searchDevices() no longer rejects when multiple USB devices are present; it
  returns the full list so an explicit connectId can resolve its target.
- _connectFirstOrSelect rejects multiple devices only on the no-target
  auto-connect path; an explicit connectId connects that device (or the sole
  USB device after an ephemeral-path replug) and otherwise fails not-found.
@ByteZhang1024
fix(ledger): guard USB fallback with fingerprint
345d9fc
@ByteZhang1024 ByteZhang1024 force-pushed the fix/ledger-session-usb branch from 85eeac7 to 345d9fc Compare May 27, 2026 10:15
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 27, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednext@​16.0.105425919970
Addednextra@​4.6.0831007488100
Added@​ai-sdk/​react@​3.0.1101001007498100
Addedlodash@​4.17.2175828785100
Addedbuffer@​6.0.39910010075100
Addedevents@​3.3.01001008675100
Addedstring_decoder@​1.3.01001008475100
Addedprocess@​0.11.101001007675100
Addedstream-browserify@​3.0.01001007875100
Addednextra-theme-docs@​4.6.0991007788100
Added@​onekeyfe/​hd-common-connect-sdk@​1.1.15781008297100
Added@​types/​react@​19.2.71001007995100
Added@​reactour/​tour@​3.8.01001009980100
Addedlottie-react@​2.4.19910010080100
Updated@​types/​node@​16.18.105 ⏵ 24.10.110010081 +195100
Addedripple-keypairs@​1.3.01001008382100
Addedpostcss@​8.5.699998293100
Addedremark-gfm@​4.0.19910010083100
Addedreact-markdown@​10.1.09910010083100
Added@​xstate/​react@​6.0.01001008584100
Addedtailwindcss@​4.1.171001008498100
Addedreact@​19.2.01001008497100
Addedcheerio@​1.0.0-rc.129910010084100
Addedgsap@​3.14.288100998590
Addedassert@​2.0.0991009385100
Addedprismjs@​1.30.0991008986100
Addedprism-react-renderer@​2.4.19810010086100
Addedautoprefixer@​10.4.22991008986100
Addedpagefind@​1.4.01001008689100
Updated@​noble/​hashes@​1.4.0 ⏵ 1.3.110010010086100
Addedparcel@​2.9.3981009086100
Addedtypescript@​5.9.3100100909590
Addedreact-dom@​19.2.01001009298100
See 6 more rows in the dashboard

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@originalix originalix originalix left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ByteZhang1024 @revan-zhang @originalix