[Aikido] Fix 5 critical issues in thirdweb, wagmi, @changesets/parse and 4 more#369
[Aikido] Fix 5 critical issues in thirdweb, wagmi, @changesets/parse and 4 more#369aikido-autofix[bot] wants to merge 1 commit intomainfrom
Conversation
aikido-autofix
Bot
requested review from
coffeexcoin and
cygaar
as code owners
aikido-autofix
Bot
added
the
dependencies
|
PR SummaryFocuses on dependency pinning and small package adjustments to address security and compatibility.
Written by Cursor Bugbot for commit 87bd286. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "react": ">=18.3.1", | ||
| "react-dom": ">=18.3.1", | ||
| "thirdweb": "^5.68.0", | ||
| "thirdweb": "5.72.0-nightly-393d0cfb504401d6449a75cbe8422946d157fc93-20241202000349", |
There was a problem hiding this comment.
Nightly build used instead of stable release
Medium Severity
The thirdweb devDependency was changed from stable ^5.68.0 to a nightly build 5.72.0-nightly-393d0cfb504401d6449a75cbe8422946d157fc93-20241202000349 from December 2024. Nightly builds are inherently unstable and intended for temporary testing, not production dependencies. The peerDependency still specifies stable ^5.68.0, creating a mismatch. This appears unintentional for a security-focused PR and could cause unexpected test failures or behavior during development.
| "js-yaml@<=4.1.1": "4.1.1", | ||
| "react-native@<=0.81.0": "0.81.0", | ||
| "metro@<=0.83.2": "0.83.2", | ||
| "metro-config@<=0.83.2": "0.83.2", |
There was a problem hiding this comment.
Security overrides may target vulnerable versions
High Severity
The pnpm overrides for metro and metro-config pin to version 0.83.2, but the Snyk vulnerability database shows 0.83.3 as the "latest non-vulnerable version." This suggests 0.83.2 may still be vulnerable to the Metro dev server RCE vulnerability (AIKIDO-2025-10854). The overrides would force users to a potentially vulnerable version instead of the patched 0.83.3.
| "metro@<=0.83.2": "0.83.2", | ||
| "metro-config@<=0.83.2": "0.83.2", | ||
| "@react-native-community/cli@<=17.0.1": "17.0.1", | ||
| "@react-native-community/cli-server-api@<=17.0.1": "17.0.1" |
There was a problem hiding this comment.
Missing security overrides for newer vulnerable branches
Medium Severity
The pnpm overrides for @react-native-community/cli-server-api and @react-native-community/cli only cover versions <=17.0.1. However, the CVE-2025-11953 RCE vulnerability also affects versions 18.0.0, 19.0.0-alpha.0 through 19.1.1, and 20.0.0-alpha.x. If any transitive dependency requires these versions, the override pattern would not match and users would remain vulnerable to the critical RCE.
coffeexcoin
deleted the
fix/aikido-security-update-packages-13953455-g9ww
branch
Patches critical RCE vulnerabilities in React Native CLI, fixes cryptographic signature weakness, and mitigates potential prototype pollution and SDK supply chain risks.
✅ 4 CVEs resolved by this upgrade, including 1 critical 🚨 CVE
This PR will resolve the following CVEs:
debugpackage version could interfere with dApp-to-wallet communication when installed during a specific time window, potentially compromising browser-based MetaMask SDK applications through dependency injection.🔗 Related Tasks
PR-Codex overview
This PR focuses on updating the
package.jsonfiles across multiple packages, includingdependencies,devDependencies, and adjustments to file structures, ensuring compatibility with newer versions and improving project organization.Detailed summary
filesarray formatting inpackage.jsonfiles.wagmifrom2.14.11to2.17.1.@babelpackages to7.28.x.reactandreact-domversions to19.2.3.@privy-io/cross-app-connectversion to0.2.3.viemversion to2.44.4.