Skip to content

chore(deps): security update — 0c 8h 9m 0l → 0c 4h 5m 0l#1

Merged
VickyXAI merged 2 commits into
mainfrom
chore/dep-security
Jun 29, 2026
Merged

chore(deps): security update — 0c 8h 9m 0l → 0c 4h 5m 0l#1
VickyXAI merged 2 commits into
mainfrom
chore/dep-security

Conversation

@VickyXAI

Copy link
Copy Markdown
Contributor

What changed

Dependency security remediation (npm). Two safe passes:

  1. npm update — in-range, semver-safe upgrades across 45 packages.
  2. overrides — forced ws to ^8.21.0 (latest) to flush the vulnerable ws@8.20.1 bundled by viem and ws@7.5.11 bundled by jayson (both transitive). No postcss in the tree, so no postcss override added.

package.json + package-lock.json only. No source changes.

Audit before → after

critical high moderate low total
before 0 8 9 0 17
after 0 4 5 0 9

Build / test

  • npm run build (tsc + asset copy): pass (exit 0)
  • npm test (347 node:test cases): pass (347/347, exit 0)

Residual advisories (left intentionally)

All 9 remaining are deep in the Solana / @blockrun/llm stack with no non-major fix:

  • bigint-buffer (high, range * — no patched version published) → drives @solana/buffer-layout-utils, @solana/spl-token, @solana/spl-token-group, @solana/spl-token-metadata, @solana/web3.js.
  • @blockrun/llm (high) → via @x402/evm (no fix available).
  • uuid (<11.1.1, moderate) — left deliberately; v9→v11 is a risky major.
  • jayson (moderate) — only fix is a @solana/web3.js semver-major downgrade.

npm's only auto-fix for these is --force (semver-major downgrades of @solana/spl-token → 0.1.8 and @solana/web3.js → 0.0.3), which would break the trading stack. Deferred for a deliberate upgrade.

⚠️ Please review and QA before merge. Do not merge automatically.

1bcMax added 2 commits June 29, 2026 09:47
clawrouter 0.12.214 (pulled in transitively via @blockrun/llm) now
declares engines node >=22. Drop the Node 20 CI matrix leg and bump
package.json engines to >=22 so the declared/runtime target is honest.
@VickyXAI VickyXAI merged commit 5c42d55 into main Jun 29, 2026
1 check passed
@VickyXAI VickyXAI deleted the chore/dep-security branch June 29, 2026 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant