Fix high-severity security vulnerabilities via package resolutions #522
Conversation
…utions Add version constraints for 10 packages with known security vulnerabilities: - h3, tar, node-forge, qs, undici: DoS and injection vulnerabilities - preact, valibot, glob: CVE-2025-66020 EMOJI_REGEX ReDoS and command injection - js-yaml, hono: prototype pollution and JWT algorithm confusion fixes Updates both yarn.lock (root) and package-lock.json (expo-multichain) with patched versions. Remaining bigint-buffer vulnerability is unfixable due to missing upstream patch in Solana ecosystem. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 64982b0 The changes in this PR will be included in the next version bump. This PR includes changesets to release 9 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Claude finished @ignaciosantise's task —— View job Security Vulnerability PR ReviewTasks:
Issues Found1. Missing Changeset (Required by CI)The changeset-bot is correctly flagging that this PR needs a changeset. Even though this is primarily a dependency update, it should include a changeset because:
Fix: Add a changeset file using: yarn changeset addSelect all affected packages (likely all of them since this is a monorepo-wide dependency update) with 2. Inconsistent Package Resolution CoverageThe root
The
Issue: If hono is a transitive dependency in the expo-multichain example, it won't be patched. Recommendation:
3. React Override in expo-multichain May ConflictIn
Note: While not a blocker, mixing React version pinning with security overrides can make future maintenance harder. Consider separating concerns or documenting why React is pinned. 4. No Verification of Fix EffectivenessThe PR description lists the CVEs and packages, but there's no evidence that:
Recommendation: Add audit results to the PR description: # Root (yarn)
yarn audit --json > audit-after.json
# Expo example (npm)
cd examples/expo-multichain && npm audit --json > audit-after.jsonThis provides proof the fixes work and documents the security improvement. 5. Potential Breaking Changes RiskSome version bumps are significant:
Concern: Without knowing the previous versions, there's risk of:
Recommendation:
6. Lockfile Changes Not ValidatedThe lockfile diffs are large (+115/-223 for yarn.lock, +514/-210 for package-lock.json). Without manual review, we can't verify:
Recommendation: At minimum, verify: # Check for any suspicious new packages
git diff yarn.lock | grep -E "^\+[^+]" | grep -v "version" | grep -v "resolved" | head -20
# Ensure lockfiles are consistent with package.json
yarn install --check-files
cd examples/expo-multichain && npm ciSecurity Fix AnalysisThe vulnerabilities addressed are legitimate and serious:
All are valid security concerns that should be addressed. Best Practices NotesPositive:
Could Improve:
SummaryThis PR addresses real security vulnerabilities, but needs:
The security resolutions themselves appear appropriate, but the PR needs additional validation before merge. |
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
There was a problem hiding this comment.
Pull request overview
This PR addresses 10 high/moderate severity security vulnerabilities by pinning package versions through yarn resolutions and npm overrides. The changes update vulnerable dependencies to their patched versions across both the Yarn workspace (root) and the npm-based expo-multichain example.
Changes:
- Added 10 security package resolutions to root
package.jsonfor Yarn workspace - Added 9 security package overrides to
examples/expo-multichain/package.jsonfor npm - Updated yarn.lock and package-lock.json with the patched versions
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Added 10 package resolutions (h3, tar, node-forge, qs, undici, preact, js-yaml, glob, valibot, hono) to fix security vulnerabilities in the Yarn workspace |
| examples/expo-multichain/package.json | Added 9 package overrides (excluding hono which is already present) to fix security vulnerabilities in the npm-based example app |
| yarn.lock | Updated with new versions of security-patched packages for the Yarn workspace |
| examples/expo-multichain/package-lock.json | Updated with new versions of security-patched packages for the npm example, including new dependencies required by upgraded packages |
Files not reviewed (1)
- examples/expo-multichain/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The glob@11.x resolution removed the sync API that react-native-builder-bob depends on. The glob vulnerability (CVE-2025-64756) only affects CLI usage with the -c/--cmd flag, not library usage, so removing this resolution is safe. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
js-yaml 4.x removed safeLoad/safeDump functions used by @changesets/parse. The security fix for js-yaml 3.x is 3.14.2, which maintains backward compatibility while patching the prototype pollution vulnerability. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
@claude review |
|
Claude finished @ignaciosantise's task —— View job 🔄 Incremental PR ReviewTasks:
Changes Since Last ReviewThe author has addressed the major breaking change concerns raised by previous reviewers: Resolved Issues:
Current Issues1. Inaccuracy in Changeset DocumentationFile: The changeset states "js-yaml 4.1.1" but the actual resolution is now - js-yaml 4.1.1 (Prototype Pollution)
+ js-yaml 3.14.2 (Prototype Pollution fix)2. Missing glob from Patched Packages ListFiles:
The changeset and PR description list "9 vulnerable packages" but originally there were 10 (including glob). Since glob was removed due to compatibility issues, the documentation should either:
The PR description still mentions glob in the "Fixed vulnerabilities" section, creating confusion. Recommendation: Update the changeset to say "8 vulnerable packages" and remove glob from the list, or add a note explaining glob was excluded due to breaking changes. 3. Unnecessary hono Resolution in Root package.jsonFile: The copilot reviewer correctly identified that
Recommendation: Remove 4. Missing Validation EvidenceAs noted in the original review, there's still no evidence that:
Recommendation: Run and document: # Yarn workspace audit
yarn npm audit --recursive --json
# NPM example audit
cd examples/expo-multichain && npm audit --jsonThis provides proof the fixes work and quantifies the security improvement. 5. Missing Test ValidationThe original review recommended running the full test suite and build to ensure no breakage. No evidence this was done. Recommendation: Run and report results: yarn lint
yarn prettier
yarn build
yarn testIf all pass, note it in the PR. If anything fails, address before merging. Security AnalysisProperly Addressed (8 packages):
In expo-multichain only:
Excluded due to compatibility:
SummaryWhat improved since last review:
Remaining action items before merge:
Overall: The PR is much improved. The security fixes are valid and the breaking changes were properly addressed. Just needs documentation cleanup and validation evidence. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "qs": "6.14.1", | ||
| "undici": "6.23.0", | ||
| "preact": "10.28.2", | ||
| "js-yaml": "3.14.2", |
There was a problem hiding this comment.
js-yaml pinned to vulnerable version instead of documented fix
High Severity
The changeset and PR description document fixing js-yaml prototype pollution with version 4.1.1, but the actual resolution pins to 3.14.2. According to Snyk's vulnerability database, version 3.14.x is still vulnerable to prototype pollution (CVE-2025-64718), and 4.1.1 is the "latest non vulnerable version." The implemented fix doesn't actually address the security vulnerability it claims to fix.
Additional Locations (2)
- Update changeset to show correct js-yaml version (3.14.2, not 4.1.1) - Remove hono from root resolutions (not in yarn.lock, only used by expo-multichain via npm) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Summary
Resolves 10 high/moderate severity security vulnerabilities by pinning package versions in yarn and npm overrides.
Changes
package.json(yarn)examples/expo-multichain/package.json(npm)Fixed vulnerabilities:
Co-Authored-By: Claude Haiku 4.5 noreply@anthropic.com
Note
Applies security patches by forcing safe versions of transitive deps and updating lockfiles.
resolutionsin rootpackage.jsonand npmoverridesinexamples/expo-multichain/package.jsonyarn.lockandpackage-lock.json@reown/*-react-nativePatched deps:
h3@1.15.5,tar@7.5.6,node-forge@1.3.2,qs@6.14.1,undici@6.23.0,preact@10.28.2,js-yaml@3.14.2,valibot@1.2.0,hono@4.11.4.Written by Cursor Bugbot for commit 64982b0. This will update automatically on new commits. Configure here.