Skip to content

chore(deps): resolve Dependabot critical/high/moderate alerts#45

Merged
pasevin merged 1 commit into
mainfrom
chore/dependabot-batch
Jun 6, 2026
Merged

chore(deps): resolve Dependabot critical/high/moderate alerts#45
pasevin merged 1 commit into
mainfrom
chore/dependabot-batch

Conversation

@pasevin

@pasevin pasevin commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Single-PR sweep of the open Dependabot advisories on the adapters repo. Knocks out 8 criticals, multiple highs, and most moderates by bumping direct deps and adding workspace-level pnpm overrides.

Direct dep bump

  • vitest ^3.2.4^4.1.0 across all 8 adapter packages — patches GHSA-5xrq-8626-4rwp (arbitrary file read/exec via Vitest UI server). Resolves to 4.1.8.

Override migration: package.json#pnpmpnpm-workspace.yaml

pnpm v11 silently ignores package.json#pnpm.overrides. The existing overrides (valtio, viem, midnight-js-*, etc.) were already inert. This PR migrates them to pnpm-workspace.yaml#overrides so they take effect.

Verified by checking the lockfile: pre-PR resolved valtio@1.11.2 (override said ^1.13.2); post-PR correctly resolves valtio@1.13.2.

New security overrides

Advisory Package Fix
GHSA-jggg, 685m, 66ff, 2pr8, fx83, 75px, jvwf, q6x5, xq3m protobufjs <7.5.8^7.5.8
GHSA-q6x5-8v7m-xcrf @protobufjs/utf8 <1.1.1^1.1.1
GHSA-2gcr, 3hrh, xrhx, f577, qp7p, hm8q, p77w, 69xw, 9vqf, 458j, r5rp, 26pp, xpcf, wmmm, xf4j hono <4.12.21^4.12.21
GHSA-58qx-3vcg-4xpx ws >=8.0.0 <8.20.1^8.20.1
GHSA-p9ff, v2wj, 4w7w vite >=7.0.0 <7.3.2^7.3.2
GHSA-r5fr, f23m, xxjr lodash <4.18.0^4.18.0
GHSA-ph9p, 52f5 tmp <0.2.6^0.2.6
GHSA-qj3p-xc97-xw74 @metamask/sdk + …-communication-layer <0.33.1^0.33.1
GHSA-v2v4-37r5-5v8g ip-address <=10.1.0^10.1.1

Vitest 4 mock compat fix in adapter-stellar

Vitest 4 / tinyspy@4 switched constructor invocation to Reflect.construct(impl, args), which throws on arrow-function implementations per ES spec. Existing vi.fn(() => ({...})) mocks used as constructors (new StellarRpc.Server(...), new Contract(...), new TransactionBuilder(...), new Account(...), Spec(...)) had to be converted to regular function expressions. Five test files touched:

  • test/access-control/ownable-two-step.test.ts
  • test/contract/loader-sac.test.ts
  • test/contract/type-detection.test.ts
  • test/query/sac-query.test.ts
  • test/query/state-mutability.test.ts

Not fixed in this PR (justifications for dismissal)

Alert Reason
uuid 8.3.2/9.0.1 — GHSA-w5hq-g745-h8pq CVE only affects v3/v5/v6 with explicit buf arg. Solana web3.js / MetaMask utils call v4() only. Forcing ^11.1.1 would violate @solana/web3.js peer constraints.
elliptic 6.6.1 — GHSA-848j-6mx2-7j84 No upstream patch exists.
bigint-buffer 1.1.5 — GHSA-3gc7-fjrx-p6mg No upstream patch exists. Transitive via @solana/spl-token.

Test plan

  • pnpm install succeeds; lockfile regenerated cleanly
  • pnpm -r typecheck passes
  • pnpm -r test — all tests pass across 8 packages on vitest 4.1.8 (stellar 865/865, evm 126/126, polkadot 66/66, adapters-vite 14/14, plus solana / midnight / evm-core / runtime-utils)
  • Verified vulnerable copies purged from pnpm-lock.yaml:
    • ws 8.18.x → only 8.20.1 (+ untouched 7.5.10)
    • hono 4.12.8 → 4.12.23
    • protobufjs 7.4.0/7.6.0 → 7.6.0 only (7.4.0 gone)
    • tmp 0.0.33 → 0.2.7
    • vite 7.3.1 → none (only 8.0.5)
    • lodash 4.17.21 → 4.18.1 only
    • ip-address 10.1.0 → 10.2.0
    • @metamask/sdk* 0.32.0 → 0.33.1 only

@pasevin
chore(deps): resolve Dependabot critical/high/moderate alerts
83dca68 
Bumps direct `vitest` dependency from ^3.2.4 to ^4.1.0 across the eight
adapter packages to patch GHSA-5xrq-8626-4rwp (arbitrary file
read/exec via Vitest UI server).

Migrates the `overrides` and `patchedDependencies` blocks from
`package.json#pnpm.*` into `pnpm-workspace.yaml`, since pnpm v11 ignores
the package.json variant. The existing overrides (valtio, viem,
midnight-js-*, etc.) were already silently inert under v11; this
migration also makes them effective. New security overrides added:

- protobufjs <7.5.8 → ^7.5.8 (GHSA-jggg, 685m, 66ff, 2pr8, fx83, 75px,
  jvwf, q6x5, xq3m — DoS, code injection, prototype pollution, RCE)
- @protobufjs/utf8 <1.1.1 → ^1.1.1 (GHSA-q6x5, overlong UTF-8)
- hono <4.12.21 → ^4.12.21 (GHSA-2gcr, 3hrh, xrhx, f577, qp7p, hm8q,
  p77w, 69xw, 9vqf, 458j, r5rp, 26pp, xpcf, wmmm, xf4j — cookie
  injection, JWT issues, path traversal, etc.)
- ws >=8.0.0 <8.20.1 → ^8.20.1 (GHSA-58qx, memory disclosure)
- vite >=7.0.0 <7.3.2 → ^7.3.2 (GHSA-p9ff, v2wj, 4w7w — fs.deny bypass)
- lodash <4.18.0 → ^4.18.0 (GHSA-r5fr, f23m, xxjr — code injection,
  prototype pollution)
- tmp <0.2.6 → ^0.2.6 (GHSA-ph9p, 52f5 — path traversal via symlink)
- @metamask/sdk + @metamask/sdk-communication-layer <0.33.1 → ^0.33.1
  (GHSA-qj3p, malicious debug@4.4.2)
- ip-address <=10.1.0 → ^10.1.1 (GHSA-v2v4, XSS in Address6)

Fixes vitest 4 mock incompatibility in adapter-stellar tests where
`vi.fn(arrow)` mocks were used as constructors. Vitest 4 / tinyspy 4
now uses `Reflect.construct(impl, args)` which throws on arrow
functions per ES spec. Converted affected mocks to regular `function`
expressions across five test files.

Not fixed (no upstream patch, not exploitable, or breaking-major-bump):
- uuid 8.3.2/9.0.1 (GHSA-w5hq) — CVE only affects v3/v5/v6 with buf
  arg; our consumers use v4(). Pin to ^11.1.1 would break peer deps.
- elliptic 6.6.1 (GHSA-848j) — no patched release exists.
- bigint-buffer 1.1.5 (GHSA-3gc7) — no patched release exists.
@pasevin pasevin merged commit 02224b8 into main Jun 6, 2026
9 checks passed
@pasevin pasevin deleted the chore/dependabot-batch branch June 6, 2026 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pasevin