Summary
@pendle/boros-core@1.0.6 (pulled in by @pendle/sdk-boros@1.1.42) introduces 28 npm audit vulnerabilities into downstream consumers. All of them originate from transitive
dependencies on ethers v5 (EOL, no longer maintained), hardhat-deploy, and legacy @openzeppelin/contracts versions brought in through the LayerZero dependency chain.
Dependency chain causing the vulnerabilities
@pendle/sdk-boros@1.1.42
└── @pendle/boros-core@1.0.6
├── @layerzerolabs/lz-evm-protocol-v2@3.0.148
│ └── hardhat-deploy@0.12.4
│ ├── ethers@5.8.0 ← EOL, all @ethersproject/* are vulnerable
│ └── zksync-ethers@5.11.1
│ └── ethers@5.7.2
└── @layerzerolabs/oapp-evm@0.4.0
├── ethers@5.8.0
├── @layerzerolabs/lz-evm-messagelib-v2@3.0.166
│ ├── @chainlink/contracts-ccip@0.7.6
│ │ └── @eth-optimism/contracts@0.5.40
│ │ └── ethers@5.8.0
│ └── @eth-optimism/contracts@0.6.0
│ └── ethers@5.8.0
└── @layerzerolabs/lz-evm-v1-0.7@3.0.166
└── hardhat-deploy@0.12.4 (deduped)
Vulnerabilities
28 total (2 high, 6 moderate, 20 low):
High severity
Low / Moderate severity (all via ethers v5 / elliptic)
- elliptic (all versions) — Risky cryptographic implementation (GHSA-848j-6mx2-7j84)
- @ethersproject/signing-key, @ethersproject/transactions, @ethersproject/providers, @ethersproject/abstract-provider, @ethersproject/abstract-signer, @ethersproject/hash,
@ethersproject/hdnode, @ethersproject/wallet, @ethersproject/wordlists, @ethersproject/json-wallets — all depend on vulnerable elliptic and each other; ethers v5 is EOL so
no patches will be released.
Impact on consumers
- npm audit reports 28 vulnerabilities, none of which can be resolved by npm audit fix
- npm audit fix --force downgrades @pendle/sdk-boros to 1.0.12 (a breaking change) and still doesn't resolve the transitive issues
- npm overrides can only partially mitigate elliptic and @openzeppelin/; the @ethersproject/ chain cannot be overridden without breaking ethers v5 at runtime
- This blocks consumers that enforce zero-vulnerability policies in CI/CD pipelines
Environment
- @pendle/sdk-boros@1.1.42
- @pendle/boros-core@1.0.6
- Node 22
- npm 10
Summary
@pendle/boros-core@1.0.6 (pulled in by @pendle/sdk-boros@1.1.42) introduces 28 npm audit vulnerabilities into downstream consumers. All of them originate from transitive
dependencies on ethers v5 (EOL, no longer maintained), hardhat-deploy, and legacy @openzeppelin/contracts versions brought in through the LayerZero dependency chain.
Dependency chain causing the vulnerabilities
@pendle/sdk-boros@1.1.42
└── @pendle/boros-core@1.0.6
├── @layerzerolabs/lz-evm-protocol-v2@3.0.148
│ └── hardhat-deploy@0.12.4
│ ├── ethers@5.8.0 ← EOL, all @ethersproject/* are vulnerable
│ └── zksync-ethers@5.11.1
│ └── ethers@5.7.2
└── @layerzerolabs/oapp-evm@0.4.0
├── ethers@5.8.0
├── @layerzerolabs/lz-evm-messagelib-v2@3.0.166
│ ├── @chainlink/contracts-ccip@0.7.6
│ │ └── @eth-optimism/contracts@0.5.40
│ │ └── ethers@5.8.0
│ └── @eth-optimism/contracts@0.6.0
│ └── ethers@5.8.0
└── @layerzerolabs/lz-evm-v1-0.7@3.0.166
└── hardhat-deploy@0.12.4 (deduped)
Vulnerabilities
28 total (2 high, 6 moderate, 20 low):
High severity
(GHSA-7grf-83vw-6f5x), clashing proxy selectors (GHSA-mx2q-35m2-x2rh)
(GHSA-wprv-93r4-jj2p), governor frontrunning (GHSA-5h3x-9wvq-w4m2), base64 dirty memory read (GHSA-9vx6-7xxf-x967)
Low / Moderate severity (all via ethers v5 / elliptic)
@ethersproject/hdnode, @ethersproject/wallet, @ethersproject/wordlists, @ethersproject/json-wallets — all depend on vulnerable elliptic and each other; ethers v5 is EOL so
no patches will be released.
Impact on consumers
Environment