Fix npm dependency vulnerabilities in onchain-app-template#1
Fix npm dependency vulnerabilities in onchain-app-template#1
Conversation
…o onchain-app-template/package.json Co-authored-by: Deejae69 <179696940+Deejae69@users.noreply.github.com>
…ability Co-authored-by: Deejae69 <179696940+Deejae69@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the onchain-app-template JavaScript dependencies to address known CVEs (including issues called out in next and transitive dependencies), primarily by upgrading direct deps and adding transitive version pinning.
Changes:
- Upgraded
nextto^15.2.9and pinned@wagmi/clito2.10.0. - Added transitive dependency pins via
resolutionsfor several vulnerable packages.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "resolutions": { | ||
| "cross-spawn": "^7.0.5", | ||
| "sha.js": "^2.4.12", | ||
| "node-forge": "^1.3.3", | ||
| "bn.js": "^5.2.3", | ||
| "glob": "^10.5.0", | ||
| "h3": "^1.15.5", | ||
| "lodash": "^4.17.23", | ||
| "minimatch": "^10.2.1" |
There was a problem hiding this comment.
The resolutions field is only honored by some package managers (notably Yarn). If consumers install this template with npm (which uses overrides) or pnpm (which uses pnpm.overrides), these pins may be ignored and the vulnerable transitive versions could still be selected. Consider either (a) switching to the override mechanism for the intended package manager, or (b) adding a packageManager field (and ideally a lockfile) to make it explicit that installs must use a tool that honors resolutions.
| "ci:check": "biome ci --formatter-enabled=false --linter-enabled=false", | ||
| "ci:format": "biome ci --linter-enabled=false --organize-imports-enabled=false", | ||
| "ci:lint": "biome ci --formatter-enabled=false --organize-imports-enabled=false", | ||
| "dev": "NODE_OPTIONS='--inspect' next dev", |
There was a problem hiding this comment.
The dev script uses POSIX-style env var assignment with single quotes (NODE_OPTIONS='--inspect' ...), which will fail on Windows shells. If this template is intended to be cross-platform, consider using a cross-platform env helper (e.g. cross-env) or moving --inspect into a separate dev:inspect script while keeping dev portable.
Several direct and transitive npm dependencies in the onchain-app-template carried known CVEs, including critical DoS and authorization bypass issues in
nextand an unpatched esbuild via@wagmi/cli: latest.Direct dependency updates
next^14.2.5→^15.2.9— 14.x has no patch for the HTTP request deserialization DoS (GHSA-7m27-7ghc-44w9); earliest clean release is 15.2.9@wagmi/clipinned to2.10.0(was resolving to2.1.16vialatest) — picks up patched esbuild (GHSA-67mh-4wv8-2f99)Transitive dependency resolutions
Added
resolutionsto force safe versions through the dependency tree:sha.js^2.4.12cross-spawn^7.0.5glob^10.5.0h3^1.15.5node-forge^1.3.3minimatch^10.2.1bn.js^5.2.3lodash^4.17.23Housekeeping
@testing-library/*entries to their alphabetical position indevDependenciesjsdom/lokijsto restore alphabetical orderOriginal prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.