Skip to content

chore(security): resolve dependabot JS alerts (parachain + tee-worker dev/demo deps)#4060

Merged
Kailai-Wang merged 2 commits into
devfrom
chore/security-bump-js
Jun 30, 2026
Merged

chore(security): resolve dependabot JS alerts (parachain + tee-worker dev/demo deps)#4060
Kailai-Wang merged 2 commits into
devfrom
chore/security-bump-js

Conversation

@Kailai-Wang

Copy link
Copy Markdown
Collaborator

Summary

Resolves the fixable dependabot JS alerts across the repo. All are in dev / test / demo / SDK tooling — none ship in the parachain node, runtime wasm, or the Solana program build (anchor b).

Fixes applied via lockfile pins (pnpm.overrides / npm overrides / yarn resolutions), regenerating each lockfile.

parachain (commit 1)

dir package
ts-tests vite (#1296 HIGH) 7.3.6
ts-tests esbuild (#1285) 0.28.1
ts-tests tmp (#1195 HIGH) 0.2.7
docker ws (#1293 HIGH) 8.21.0
scripts/ts-utils esbuild (#1286) 0.28.1

tee-worker (commit 2) — 9 manifests

axios ≥1.16.0, ws ≥8.21.0, form-data ≥4.0.6, lodash ≥4.18.0, tmp ≥0.2.6, uuid ≥11.1.1, qs ≥6.15.2, js-yaml ≥4.2.0, serialize-javascript ≥7.0.5 (incl. scoped mocha>serialize-javascript), fast-uri ≥3.1.2, markdown-it ≥14.2.0, postcss ≥8.5.10, tar ≥7.5.16, ua-parser-js ≥2.0.10, ip-address ≥10.1.1, underscore ≥1.13.8, @babel/core ≥7.29.6, @babel/plugin-transform-modules-systemjs ≥7.29.4, @metamask/sdk(+communication-layer) ≥0.33.1.

Regenerating aa-demo also purges the malicious debug@4.4.2 (#1222/#1223).

NOT fixed here (and why)

Verification

  • Every overridden package re-checked against its alert floor in the regenerated lockfile.
  • tsc --noEmit clean for parachain/ts-tests.
  • accounting/solana is the only tee-worker JS dir in CI; it runs anchor b (Rust program), which does not consume these JS deps — the bump is build-safe.

Resolve dependabot alerts in parachain dev/test tooling (transitive deps,
not shipped in node/runtime):
- ts-tests: vite 7.3.1 -> 7.3.6 (#1296 HIGH, server.fs.deny bypass),
  esbuild -> 0.28.1 (#1285), tmp -> 0.2.7 (#1195 HIGH, path traversal)
- docker: ws -> 8.21.0 (#1293 HIGH, DoS)
- scripts/ts-utils: esbuild -> 0.28.1 (#1286)

Pinned via pnpm.overrides where transitive; vite pinned as a direct
devDependency in ts-tests (override on a vitest-peer transitive wasn't
honored). tsc --noEmit clean for ts-tests.
…pendabot)

Resolve dependabot alerts across tee-worker JS packages (demo apps, client
SDKs, ts-tests, contract tooling) via lockfile pins. None of these ship in the
node/runtime or the Solana program build (anchor b); they are dev/demo/test
tooling.

Pins applied via pnpm.overrides / npm overrides / yarn resolutions:
- axios >=1.16.0, ws >=8.21.0, form-data >=4.0.6, lodash >=4.18.0,
  tmp >=0.2.6, uuid >=11.1.1, qs >=6.15.2, js-yaml >=4.2.0,
  serialize-javascript >=7.0.5 (incl. scoped mocha>serialize-javascript),
  fast-uri >=3.1.2, markdown-it >=14.2.0, postcss >=8.5.10, tar >=7.5.16,
  ua-parser-js >=2.0.10, ip-address >=10.1.1, underscore >=1.13.8,
  @babel/core >=7.29.6, @babel/plugin-transform-modules-systemjs >=7.29.4,
  @metamask/sdk(+communication-layer) >=0.33.1
- aa-demo regen also purges the malicious debug@4.4.2 (#1222/#1223).

Manifests: client-api, identity/client-sdk, identity/ts-tests,
omni-executor/{client-sdk,ts-tests,webapp/aa-demo,webapp/x402-demo,
contracts/privacy-pool,contracts/accounting/solana}.
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
heima-aa-demo-app Ignored Ignored Jun 30, 2026 3:24pm

Request Review

@Kailai-Wang Kailai-Wang enabled auto-merge (squash) June 30, 2026 15:28
@Kailai-Wang Kailai-Wang merged commit c578904 into dev Jun 30, 2026
15 checks passed
@Kailai-Wang Kailai-Wang deleted the chore/security-bump-js branch June 30, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant