chore(security): resolve dependabot JS alerts (parachain + tee-worker dev/demo deps)#4060
Merged
Conversation
Resolve dependabot alerts in parachain dev/test tooling (transitive deps, not shipped in node/runtime): - ts-tests: vite 7.3.1 -> 7.3.6 (#1296 HIGH, server.fs.deny bypass), esbuild -> 0.28.1 (#1285), tmp -> 0.2.7 (#1195 HIGH, path traversal) - docker: ws -> 8.21.0 (#1293 HIGH, DoS) - scripts/ts-utils: esbuild -> 0.28.1 (#1286) Pinned via pnpm.overrides where transitive; vite pinned as a direct devDependency in ts-tests (override on a vitest-peer transitive wasn't honored). tsc --noEmit clean for ts-tests.
…pendabot) Resolve dependabot alerts across tee-worker JS packages (demo apps, client SDKs, ts-tests, contract tooling) via lockfile pins. None of these ship in the node/runtime or the Solana program build (anchor b); they are dev/demo/test tooling. Pins applied via pnpm.overrides / npm overrides / yarn resolutions: - axios >=1.16.0, ws >=8.21.0, form-data >=4.0.6, lodash >=4.18.0, tmp >=0.2.6, uuid >=11.1.1, qs >=6.15.2, js-yaml >=4.2.0, serialize-javascript >=7.0.5 (incl. scoped mocha>serialize-javascript), fast-uri >=3.1.2, markdown-it >=14.2.0, postcss >=8.5.10, tar >=7.5.16, ua-parser-js >=2.0.10, ip-address >=10.1.1, underscore >=1.13.8, @babel/core >=7.29.6, @babel/plugin-transform-modules-systemjs >=7.29.4, @metamask/sdk(+communication-layer) >=0.33.1 - aa-demo regen also purges the malicious debug@4.4.2 (#1222/#1223). Manifests: client-api, identity/client-sdk, identity/ts-tests, omni-executor/{client-sdk,ts-tests,webapp/aa-demo,webapp/x402-demo, contracts/privacy-pool,contracts/accounting/solana}.
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the fixable dependabot JS alerts across the repo. All are in dev / test / demo / SDK tooling — none ship in the parachain node, runtime wasm, or the Solana program build (
anchor b).Fixes applied via lockfile pins (
pnpm.overrides/ npmoverrides/ yarnresolutions), regenerating each lockfile.parachain (commit 1)
tee-worker (commit 2) — 9 manifests
axios ≥1.16.0, ws ≥8.21.0, form-data ≥4.0.6, lodash ≥4.18.0, tmp ≥0.2.6, uuid ≥11.1.1, qs ≥6.15.2, js-yaml ≥4.2.0, serialize-javascript ≥7.0.5 (incl. scoped
mocha>serialize-javascript), fast-uri ≥3.1.2, markdown-it ≥14.2.0, postcss ≥8.5.10, tar ≥7.5.16, ua-parser-js ≥2.0.10, ip-address ≥10.1.1, underscore ≥1.13.8, @babel/core ≥7.29.6, @babel/plugin-transform-modules-systemjs ≥7.29.4, @metamask/sdk(+communication-layer) ≥0.33.1.Regenerating
aa-demoalso purges the maliciousdebug@4.4.2(#1222/#1223).NOT fixed here (and why)
sc-executor-wasmtime(^35) in polkadot-sdkstable2512; the fix (wasmtime 36.0.7) only landed on SDKmaster, not yet backported to the 2512 line. Cannot override without breaking the SDK dep graph. Both vulns are aarch64-only (we ship x86_64) and require local untrusted-wasm execution — not reachable in our threat model. Tracked to bump once a stable2512 patch backports wasmtime 36.gethfrom TEE ts-tests #1100, openssl — same story: pinned via SDK (litep2p/sc-network) or in the legacy identity worker (not in CI).Verification
tsc --noEmitclean for parachain/ts-tests.accounting/solanais the only tee-worker JS dir in CI; it runsanchor b(Rust program), which does not consume these JS deps — the bump is build-safe.