Skip to content

Fix vulnerabilities, updated dependencies #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gabuladze merged 3 commits into from
Feb 4, 2026
Merged

Fix vulnerabilities, updated dependencies #104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6250e54
chore(PIT-5907): add shai hulud security scan workflow (#8)
darkanakin41 Dec 2, 2025
670bbc7
fix: package.json & yarn.lock to reduce vulnerabilities (#9)
jbfarez Dec 3, 2025
d2f3e72
[Snyk] Fix for 12 vulnerabilities (#10)
jbfarez Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .github/workflows/shai-hulud-security-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Shai-Hulud Security Scan

on:
push:
branches:
- '*' # every branch
pull_request:
types: [opened, synchronize, reopened]

jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # needed for commenting

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run Shai-Hulud 2.0 Detector
id: shai
uses: gensecaihq/Shai-Hulud-2.0-Detector@v1
with:
scan-lockfiles: true
fail-on-critical: true
fail-on-high: true

- name: Comment PR if vulnerable
if: failure() && github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: [
'## :warning: Shai-Hulud Supply Chain Blocked',
'',
'This PR introduces compromised npm dependencies.',
'',
'**Remove or update affected packages before merging.**'
].join('\n')
})

- name: Notify Slack Channel on Failure
if: failure()
uses: slackapi/slack-github-action@v2.1.1
with:
errors: true
token: ${{ secrets.SLACK_BOT_TOKEN }}
method: chat.postMessage
payload: |
"channel": "#github-security-scan-issue",
"text": "${{ github.repository }} had a change!",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":siren1: Shai Hulud security scan issue found in <https://github.com/${{ github.repository }}|*${{ github.repository }}*>:siren1:"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Please check urgently."
}
}
]
10 changes: 5 additions & 5 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,16 @@
"dependencies": {
"@openzeppelin/contracts": "4.6.0",
"@openzeppelin/contracts-upgradeable": "4.6.0",
"@truffle/hdwallet-provider": "^1.2.6",
"@truffle/hdwallet-provider": "^2.1.15",
"bignumber.js": "^9.0.2",
"eth-gas-reporter": "^0.2.24",
"ethereumjs-util": "^7.1.3",
"rlp": "^2.2.6",
"solidity-coverage": "^0.7.18",
"truffle": "^5.4.32",
"solidity-coverage": "^0.8.0",
"truffle": "^5.6.0",
"web3": "^4.0.3",
"web3-eth-abi": "^1.7.1",
"web3-utils": "^1.7.0"
"web3-eth-abi": "^1.10.1",
"web3-utils": "^1.10.1"
},
"devDependencies": {
"eth-sig-util": "^3.0.1",
Expand Down
Loading