Skip to content

build(deps): security dependency bumps (axios, qs, fast-uri, react-router, webpack-dev-server)#1336

Merged
Comp0te merged 2 commits into
developfrom
deps/dependabot-security-bumps
Jun 11, 2026
Merged

build(deps): security dependency bumps (axios, qs, fast-uri, react-router, webpack-dev-server)#1336
Comp0te merged 2 commits into
developfrom
deps/dependabot-security-bumps

Conversation

@Comp0te

@Comp0te Comp0te commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

What

Applies the dependency updates proposed by the open Dependabot PRs that are safe on the current Node 18 toolchain, in a single batch with a correctly regenerated package-lock.json:

Why a batch instead of merging the Dependabot PRs

Dependabot cannot resolve the private casper-wallet-core git+ssh dependency, so every lockfile it regenerates silently drops that package's transitives (node-fetch, whatwg-url, …). That leaves package-lock.json out of sync and breaks npm ci — which is why the e2e jobs fail on all Dependabot PRs while the build job (using tolerant npm install) passes. The lockfile here is regenerated locally with access to the git dependency, so npm ci works again. As a side effect it also fixes the root lock entry for casper-wallet-core to match the git+ssh URL in package.json.

Deferred

serialize-javascript 7.0.5 (#1330, fixes two advisories including an RCE-class one — vulnerable range is >=5.0.0 <7.0.5) and web-ext 10 (#1331) both require Node ≥ 20, while the project is pinned to Node 18 (EOL since April 2025) in .nvmrc and all CI workflows. They should land together with a Node 20+ upgrade as a separate task.

Verification

  • npm run ci-check (prettier, eslint, tsc, jest) passes
  • npm run build:chrome production build passes
  • npm audit no longer flags axios, qs, fast-uri, express, body-parser, react-router

Included e2e fix

With the lockfile fixed, the e2e jobs run for real again and exposed a latent selector bug in the staking specs: the token-details market-data banner renders a "Learn more" (cspr.trade) link when market data loads, so the substring selector getByText('More') resolves to two elements and fails with a strict mode violation. The staking specs now match the "More" button with { exact: true }, consistent with the other selectors in those files.

- axios 1.15.2 -> 1.17.0 (config hardening against prototype-pollution
  driven SSRF; transitive of casper-js-sdk and apisauce)
- react-router/react-router-dom 6.30.3 -> 6.30.4
- fast-uri 3.1.0 -> 3.1.2 (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc)
- qs pinned to ^6.15.2 via overrides, covering the security payload of
  the grouped qs/express/body-parser/web-ext bump without taking the
  web-ext 8 -> 10 major (requires Node >= 20)
- webpack-dev-server 5.2.3 -> 5.2.4
- @babel/plugin-transform-modules-systemjs 7.29.0 -> 7.29.7
- @protobufjs/utf8 1.1.0 -> 1.1.1

The lockfile is regenerated locally so npm ci stays in sync; the
dependabot-generated lockfiles dropped the casper-wallet-core git
dependency transitives (node-fetch et al.) and broke npm ci, which is
why the e2e jobs failed on every dependabot PR.

Deferred (require Node >= 20 while the project is on Node 18):
serialize-javascript 7.0.5 and web-ext 10.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Comp0te Comp0te self-assigned this Jun 11, 2026
The token-details market data banner renders a "Learn more" link
(cspr.trade) when market data loads, and the substring selector
getByText('More') then resolves to two elements, failing the staking
specs with a strict mode violation.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant