Skip to content

Comments

Fix dependabot security vulnerabilities#536

Merged
ignaciosantise merged 4 commits intodevelopfrom
fix-dependabot-alerts
Feb 23, 2026
Merged

Fix dependabot security vulnerabilities#536
ignaciosantise merged 4 commits intodevelopfrom
fix-dependabot-alerts

Conversation

@ignaciosantise
Copy link
Collaborator

@ignaciosantise ignaciosantise commented Feb 23, 2026
edited by cursor bot
Loading

Summary

This PR resolves 20 open dependabot security alerts by upgrading vulnerable dependencies and adding resolutions/overrides to force patched versions across the monorepo. Updates include critical patches for tar (hardlink/symlink path traversal), qs (DoS bypass), hono (XSS, cache deception), and @playwright/test (SSL verification). Dependencies like ajv, lodash, webpack, bn.js, and minimatch have been added to resolution/override configurations. The bigint-buffer vulnerability remains unpatched upstream with no available fix.

Changes

  • Root package.json: tar 7.5.6→7.5.8, qs 6.14.1→6.14.2, added ajv 8.18.0, lodash 4.17.23, webpack 5.104.1
  • apps/native/package.json: @playwright/test 1.49.1→1.55.1
  • examples/expo-multichain/package.json: hono 4.11.4→4.11.10, tar 7.5.6→7.5.8, added ajv 8.18.0, bn.js 5.2.3, minimatch 10.2.1
  • Updated yarn.lock and package-lock.json with patched versions

Note

Medium Risk
Primarily dependency/lockfile churn, but upgrades to build tooling (webpack) and security-sensitive libraries (tar, qs, hono) could introduce subtle compatibility changes at runtime or in CI.

Overview
Security-focused dependency refresh across the monorepo. Updates include bumping @playwright/test (native app), and pinning/upgrading vulnerable transitive deps via root resolutions and example app overrides (notably tar, qs, hono, plus ajv, lodash, webpack, bn.js, minimatch).

Lockfiles are regenerated (yarn.lock, examples/expo-multichain/package-lock.json) to reflect the patched versions and tightened dependency graph.

Written by Cursor Bugbot for commit 54ff4b9. This will update automatically on new commits. Configure here.

@ignaciosantise @claude
Fix dependabot security vulnerabilities by upgrading dependencies
7c4c1b4 
Updated package versions and added resolutions/overrides for:
- tar: 7.5.6 → 7.5.8 (hardlink/symlink path traversal fixes)
- qs: 6.14.1 → 6.14.2 (arrayLimit DoS bypass)
- hono: 4.11.4 → 4.11.10 (XSS, cache deception, IP spoofing fixes)
- @playwright/test: 1.49.1 → 1.55.1 (SSL certificate verification)
- Added ajv 8.18.0, lodash 4.17.23, webpack 5.104.1, bn.js 5.2.3, minimatch 10.2.1

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 23, 2026 15:08
@changeset-bot
Copy link

changeset-bot bot commented Feb 23, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 54ff4b9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@claude
Copy link

claude bot commented Feb 23, 2026
edited
Loading

Claude finished @ignaciosantise's task —— View job

PR Review: Fix dependabot security vulnerabilities

Tasks

  • Read and analyze all changed files
  • Review dependency version upgrades
  • Check resolutions/overrides configuration
  • Assess security implications
  • Provide comprehensive review feedback

Summary

This PR appropriately addresses security vulnerabilities through dependency upgrades and resolution pinning. The changes are low-risk as they only modify dependency versions without touching application logic. However, there are several issues that need to be addressed.

Critical Issues

1. Inconsistent qs version in expo-multichain

Location: examples/expo-multichain/package.json:84

The root package.json upgrades qs to 6.14.2 (line 102), but examples/expo-multichain/package.json still pins it to 6.14.1 (line 84).

// examples/expo-multichain/package.json
"overrides": {
  "qs": "6.14.1",  // ❌ Should be 6.14.2

Impact: The Expo example will not receive the DoS bypass security fix for qs.

Fix: Update line 84 to "qs": "6.14.2" to match the root package.json.

Security Concerns

2. webpack resolution added without explicit vulnerability context

Location: package.json:109

The addition of webpack: 5.104.1 to resolutions is not explained in the PR description. This is concerning because:

  • Webpack is a critical build tool
  • Version pinning webpack across the monorepo could cause build issues
  • The PR description mentions 20 alerts, but doesn't specifically mention webpack

Recommendation:

  • Verify that webpack 5.104.1 is actually needed and doesn't break any builds
  • Run the build across all workspace packages to ensure compatibility
  • Document which specific dependabot alert this addresses

3. Missing verification that security patches are actually applied

The PR adds resolutions/overrides for transitive dependencies (ajv, lodash, bn.js, minimatch) but doesn't verify they're actually being used by vulnerable packages.

Recommendation: Run yarn why <package> for each pinned dependency to confirm:

yarn why ajv
yarn why lodash  
yarn why bn.js
yarn why minimatch
yarn why webpack

This ensures the resolutions are actually forcing the patched versions in the dependency tree.

Code Quality Issues

4. Missing changeset

The changeset-bot correctly flagged that no changeset has been added. While this is primarily a dependency update, it should still be tracked.

Fix: Add a changeset:

yarn changeset add

Select @apps/native and any other affected packages, use patch semver, and describe: "Security: Fix dependabot vulnerabilities by upgrading tar, qs, hono, @playwright/test and pinning vulnerable transitive dependencies"

5. Large lockfile churn without verification

The PR modifies yarn.lock (+166/-87 lines) and package-lock.json (+35/-285 lines) significantly.

Recommendation: Before merging:

  1. Run the full test suite: yarn test
  2. Run linting: yarn lint && yarn prettier
  3. Build all packages: yarn build
  4. Run Playwright tests: yarn playwright:test

The PR description states "Low Risk" but doesn't confirm these steps were completed.

Best Practices & Recommendations

6. Document the bigint-buffer vulnerability

The PR description mentions "The bigint-buffer vulnerability remains unpatched upstream with no available fix" but doesn't document this anywhere permanent.

Recommendation: Consider adding a SECURITY.md entry or comment in the relevant package.json explaining this known issue and any mitigations.

7. Consider stricter version ranges

Several resolutions use caret (^) ranges which allow minor/patch updates:

  • elliptic: ^6.6.1 (package.json:86)
  • ws: ^8.18.1 (package.json:88)
  • ip: ^2.0.1 (package.json:93)

Recommendation: For security-critical packages, consider using exact versions (without ^) to prevent unexpected updates:

"elliptic": "6.6.1",
"ws": "8.18.1",
"ip": "2.0.1"

8. Playwright version jump (1.49.1 → 1.55.1)

Location: apps/native/package.json:55

This is a significant jump (6 minor versions). Playwright can introduce breaking changes between minor versions.

Recommendation:

  1. Review the Playwright changelog between v1.49.1 and v1.55.1
  2. Ensure all Playwright tests pass: cd apps/native && yarn playwright:test
  3. Check if any test selectors or API calls need updating

9. Monorepo consistency check

The monorepo uses both Yarn (workspaces, yarn.lock) and npm (package-lock.json in examples/expo-multichain).

Question: Is this intentional? Having mixed package managers can lead to:

  • Duplicate dependency trees
  • Inconsistent lockfile updates
  • Harder dependency management

Recommendation: Consider standardizing on Yarn across the entire monorepo, or document why Expo example uses npm.

Testing Checklist

Before merging, please confirm:

  • All tests pass (yarn test)
  • Lint passes (yarn lint && yarn prettier)
  • Build succeeds for all packages (yarn build)
  • Playwright tests pass (yarn playwright:test)
  • Expo example builds successfully (iOS/Android/Web)
  • Manual smoke test of key features (wallet connection, transactions)
  • Verified resolution versions with yarn why <package>

Summary of Required Changes

Must fix before merge:

  1. Update qs to 6.14.2 in examples/expo-multichain/package.json:84
  2. Add a changeset
  3. Verify builds and tests pass

Recommended:
4. Verify webpack resolution is necessary and working
5. Run yarn why for all pinned transitive dependencies
6. Review Playwright changelog for breaking changes
7. Consider exact version pinning for security-critical packages

Overall Assessment:Approve with changes required

The security updates are appropriate and well-targeted. Once the qs version inconsistency is fixed and a changeset is added, this PR will effectively address the dependabot alerts. The risk is indeed low since no application logic changes, but thorough testing is recommended given the scope of dependency updates.

Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses 20 open dependabot security alerts by upgrading vulnerable dependencies to patched versions across the monorepo. The changes include critical security fixes for tar (path traversal vulnerabilities), qs (DoS bypass), hono (XSS and cache deception), and @playwright/test (SSL verification). The PR uses Yarn resolutions in the root package.json and npm overrides in examples/expo-multichain/package.json to enforce patched versions throughout the dependency tree.

Changes:

  • Upgraded tar from 7.5.6 to 7.5.8 to fix hardlink/symlink path traversal vulnerabilities
  • Upgraded qs from 6.14.1 to 6.14.2 to fix DoS bypass
  • Upgraded @playwright/test from 1.49.1 to 1.55.1 to fix SSL verification issues
  • Upgraded hono from 4.11.4 to 4.11.10 to fix XSS and cache deception vulnerabilities
  • Added resolutions/overrides for ajv (8.18.0), lodash (4.17.23), and webpack (5.104.1) to force patched versions across the dependency tree
  • Updated yarn.lock and package-lock.json with corresponding changes, including removal of deprecated dependencies (ajv v6, concat-map)

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
package.json Added resolutions for tar, qs, ajv, lodash, and webpack to enforce secure versions
apps/native/package.json Upgraded @playwright/test to 1.55.1 for SSL verification fix
examples/expo-multichain/package.json Added overrides for hono, tar, ajv, bn.js, and minimatch
yarn.lock Updated with patched versions, removed ajv v6 and related deprecated dependencies
examples/expo-multichain/package-lock.json Updated with patched versions for hono, tar, ajv, bn.js, and minimatch; removed deprecated brace-expansion v1/v2 and concat-map
Files not reviewed (1)
  • examples/expo-multichain/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

examples/expo-multichain/package.json Outdated
"tar": "7.5.6",
"tar": "7.5.8",
"node-forge": "1.3.2",
"qs": "6.14.1",
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The qs version override is inconsistent with the root package.json. The root package.json has qs upgraded to 6.14.2, but this file still has 6.14.1. For consistency and to ensure the security patch is applied across the monorepo, this should be updated to 6.14.2.

Copilot uses AI. Check for mistakes.
cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
examples/expo-multichain/package-lock.json
"resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
"integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
"version": "8.18.0",
"resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
Copy link

@cursor cursor bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

External Domain URL Detected

Low Severity

This change introduces URLs pointing to external domains in the lock file (e.g., https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz, https://github.com/sponsors/epoberezkin). Please verify that these external dependencies are intentional and review for potential security, privacy, or compliance implications. Approved company domains are: reown.com, walletconnect.com, walletconnect.org

Fix in Cursor Fix in Web

Triggered by team rule: External Domain URL Detection

@ignaciosantise @claude
Fix qs version inconsistency in expo-multichain overrides
cb7a87b 
Align qs from 6.14.1 to 6.14.2 in expo-multichain overrides to match
root package.json and apply the DoS bypass security fix consistently.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@socket-security
Copy link

socket-security bot commented Feb 23, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: examples/expo-multichain/package-lock.jsonnpm/entities@4.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@ignaciosantise @claude
Fix ajv resolution breaking lint, remove qs from expo-multichain
2f507bc 
- Use scoped resolution schema-utils/ajv instead of blanket ajv
  to avoid breaking @eslint/eslintrc which needs ajv v6
- Remove ajv override from expo-multichain (not applicable there)
- Remove qs override from expo-multichain (not a transitive dep)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@ignaciosantise @claude
Update expo-multichain lockfile after removing qs override
54ff4b9 
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@socket-security
Copy link

socket-security bot commented Feb 23, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​walletconnect/​react-native-compat@​2.21.5 ⏵ 2.22.299 +11006798 +180 -19
Added@​reown/​appkit-bitcoin-react-native@​2.0.1761007298100
Added@​reown/​appkit-wagmi-react-native@​2.0.1841007498100
Added@​react-navigation/​bottom-tabs@​7.4.61001007599100
Added@​react-navigation/​native@​7.1.179910075100100
Added@​react-navigation/​elements@​2.6.3991007599100
Added@​reown/​appkit-solana-react-native@​2.0.1811007698100
Addedexpo-router@​6.0.109510077100100
Added@​expo/​metro-runtime@​6.1.27710079100100
Addedexpo@​54.0.129910077100100
Addedexpo-application@​7.0.710010078100100
Addedexpo-system-ui@​6.0.710010078100100
Addedexpo-constants@​18.0.910010079100100
Addedexpo-linking@​8.0.810010080100100
Updated@​babel/​core@​7.26.10 ⏵ 7.28.3971008097100
Updated@​types/​react@​18.2.79 ⏵ 19.1.13100 +110080 +196 +2100
Addedexpo-symbols@​1.0.710010081100100
Addedexpo-status-bar@​3.0.810010082100100
Addedexpo-blur@​15.0.710010083100100
Addedexpo-clipboard@​8.0.710010083100100
Addedexpo-haptics@​15.0.710010084100100
Addedexpo-font@​14.0.810010084100100
Addedexpo-web-browser@​15.0.810010085100100
Addedexpo-build-properties@​1.0.910010085100100
Updated@​react-native-async-storage/​async-storage@​2.1.2 ⏵ 2.2.01001008885 -5100
Addedeslint-config-expo@​10.0.010010086100100
Added@​tanstack/​react-query@​5.85.5991008898100
Added@​expo/​vector-icons@​15.0.21001009189100
Updatedeslint@​8.57.1 ⏵ 9.34.091 +2100100 +197 +47100
Addedexpo-image@​3.0.810010091100100
Addedexpo-splash-screen@​31.0.10100100100100100
Addedexpo-dev-client@​6.0.13100100100100100
Added@​reown/​appkit-react-native@​2.0.1100100100100100

View full report

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 23, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ignaciosantise ignaciosantise merged commit a348447 into develop Feb 23, 2026
11 checks passed
@ignaciosantise ignaciosantise deleted the fix-dependabot-alerts branch February 23, 2026 16:08
@github-actions github-actions bot locked and limited conversation to collaborators Feb 23, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ignaciosantise