Merge pull request #145 from aave/fix/security-warnings

fix: upgrades dependencies

Author: cesarenaldi

.changeset/nice-cloths-write.md

@@ -0,0 +1,6 @@
+---
+"@aave/client": patch
+"@aave/react": patch
+---
+
+**fix:** polynomial regular expression used on uncontrolled data

.changeset/plain-goats-occur.md

@@ -0,0 +1,2 @@
+---
+---

.github/workflows/ci.yml

@@ -4,6 +4,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

.github/workflows/on-demand.yml

@@ -5,6 +5,9 @@ on:
     types: [on-demand-test]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-tests-on-demand
   cancel-in-progress: true

.github/workflows/pull-request.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

.github/workflows/verify.yml

@@ -7,6 +7,9 @@ on:
         required: false
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint

examples/wip/package.json

@@ -8,7 +8,7 @@
     "dev": "vite"
   },
   "dependencies": {
-    "@aave/react": "workspace:*",
+    "@aave/react": "latest",
     "react": "^19.1.0",
     "react-dom": "^19.1.0"
   },

package.json

@@ -18,9 +18,8 @@
     "lint": "biome check",
     "lint:fix": "biome check --write",
     "new:package": "NODE_OPTIONS='--import tsx' plop --plopfile=plopfile.ts",
-    "prepare": "pnpm run build",
     "publish:results": "tsx scripts/publishResults.ts",
-    "release": "pnpm changeset publish",
+    "release": "pnpm run build && pnpm changeset publish",
     "spec": "vitest --project spec",
     "spec:borrow": "vitest --project spec packages/spec/markets/borrow.spec.ts",
     "spec:chains": "vitest --project spec packages/spec/misc/chains.spec.ts",
@@ -48,16 +47,15 @@
   "license": "MIT",
   "devDependencies": {
     "@biomejs/biome": "^2.0.6",
-    "@changesets/cli": "^2.29.5",
     "@types/node": "^24.0.7",
     "@vitest/ui": "^3.2.4",
     "jest-extended": "^6.0.0",
-    "plop": "^4.0.1",
-    "rimraf": "^6.0.1",
+    "plop": "^4.0.4",
+    "rimraf": "^6.1.2",
     "tsx": "^4.20.3",
     "turbo": "^2.5.4",
     "typescript": "^5.9.2",
-    "vite": "^7.0.0",
+    "vite": "^7.3.0",
     "vitest": "^3.2.4"
   },
   "pnpm": {
@@ -66,5 +64,8 @@
       "react-dom": "^19.1.0"
     }
   },
-  "packageManager": "[email protected]"
+  "packageManager": "[email protected]",
+  "dependencies": {
+    "@changesets/cli": "^2.29.8"
+  }
 }

packages/client/package.json

@@ -71,23 +71,22 @@
     "build": "tsup"
   },
   "dependencies": {
-    "@aave/graphql": "workspace:*",
     "@aave/core": "workspace:*",
+    "@aave/graphql": "workspace:*",
     "@aave/types": "workspace:*",
+    "@privy-io/server-auth": "^1.32.5",
     "@urql/core": "^5.2.0",
     "graphql": "^16.11.0"
   },
   "devDependencies": {
     "@bgd-labs/aave-address-book": "^4.25.3",
-    "@privy-io/server-auth": "^1.28.8",
     "ethers": "^6.14.4",
     "thirdweb": "^5.105.25",
-    "tsup": "^8.5.0",
+    "tsup": "^8.5.1",
     "typescript": "^5.9.2",
     "viem": "^2.31.6"
   },
   "peerDependencies": {
-    "@privy-io/server-auth": "^1.28.8",
     "ethers": "^6.14.4",
     "thirdweb": "^5.105.25",
     "viem": "^2.31.6"

packages/client/src/viem.ts

@@ -134,7 +134,7 @@ export function transactionError(
   request: TransactionRequest,
 ): TransactionError {
   const baseUrl = chain?.blockExplorers?.default?.url;
-  const link = baseUrl && `${baseUrl.replace(/\/+$/, '')}/tx/${txHash}`;
+  const link = baseUrl && new URL(`/tx/${txHash}`, baseUrl).toString();
 
   return TransactionError.new({ txHash, request, link });
 }