build(deps): security dependency bumps (axios, qs, fast-uri, react-router, webpack-dev-server)#1336
Merged
Merged
Conversation
- axios 1.15.2 -> 1.17.0 (config hardening against prototype-pollution driven SSRF; transitive of casper-js-sdk and apisauce) - react-router/react-router-dom 6.30.3 -> 6.30.4 - fast-uri 3.1.0 -> 3.1.2 (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc) - qs pinned to ^6.15.2 via overrides, covering the security payload of the grouped qs/express/body-parser/web-ext bump without taking the web-ext 8 -> 10 major (requires Node >= 20) - webpack-dev-server 5.2.3 -> 5.2.4 - @babel/plugin-transform-modules-systemjs 7.29.0 -> 7.29.7 - @protobufjs/utf8 1.1.0 -> 1.1.1 The lockfile is regenerated locally so npm ci stays in sync; the dependabot-generated lockfiles dropped the casper-wallet-core git dependency transitives (node-fetch et al.) and broke npm ci, which is why the e2e jobs failed on every dependabot PR. Deferred (require Node >= 20 while the project is on Node 18): serialize-javascript 7.0.5 and web-ext 10. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The token-details market data banner renders a "Learn more" link
(cspr.trade) when market data loads, and the substring selector
getByText('More') then resolves to two elements, failing the staking
specs with a strict mode violation.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This was referenced Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Applies the dependency updates proposed by the open Dependabot PRs that are safe on the current Node 18 toolchain, in a single batch with a correctly regenerated
package-lock.json:casper-js-sdk,apisauce); 1.17.0 guardssocketPath/params/paramsSerializerreads against inherited prototype values affecting request behavior, including SSRF-sensitive paths. Replaces build(deps): bump axios from 1.15.2 to 1.17.0 #1334.ajv. Replaces build(deps): bump fast-uri from 3.1.0 to 3.1.2 #1326.overridesentry) — covers the security payload of the grouped qs/express/body-parser/web-ext bump (build(deps): bump qs, express, body-parser and web-ext #1331) without taking the web-ext 8 → 10 major, which requires Node ≥ 20.expresspinsqsexactly, so an override (same mechanism already used forelliptic,cookie, etc.) is the only way to move it on express 4.Why a batch instead of merging the Dependabot PRs
Dependabot cannot resolve the private
casper-wallet-coregit+ssh dependency, so every lockfile it regenerates silently drops that package's transitives (node-fetch,whatwg-url, …). That leavespackage-lock.jsonout of sync and breaksnpm ci— which is why the e2e jobs fail on all Dependabot PRs while thebuildjob (using tolerantnpm install) passes. The lockfile here is regenerated locally with access to the git dependency, sonpm ciworks again. As a side effect it also fixes the root lock entry forcasper-wallet-coreto match thegit+sshURL inpackage.json.Deferred
serialize-javascript7.0.5 (#1330, fixes two advisories including an RCE-class one — vulnerable range is>=5.0.0 <7.0.5) andweb-ext10 (#1331) both require Node ≥ 20, while the project is pinned to Node 18 (EOL since April 2025) in.nvmrcand all CI workflows. They should land together with a Node 20+ upgrade as a separate task.Verification
npm run ci-check(prettier, eslint, tsc, jest) passesnpm run build:chromeproduction build passesnpm auditno longer flags axios, qs, fast-uri, express, body-parser, react-routerIncluded e2e fix
With the lockfile fixed, the e2e jobs run for real again and exposed a latent selector bug in the staking specs: the token-details market-data banner renders a "Learn more" (cspr.trade) link when market data loads, so the substring selector
getByText('More')resolves to two elements and fails with a strict mode violation. The staking specs now match the "More" button with{ exact: true }, consistent with the other selectors in those files.