chore(deps): pro 72 chore solve critical and high dependency vulnerabilities from dependabot (#125)

* chore(deps): audit fix for all projects

* chore(deps): update lodash to version 4.18.1 and add override in chains-config-checker

* chore(deps): update axios to version 1.15.2 and serialize-javascript to version 7.0.5

- Bumped axios from 1.15.0 to 1.15.2 in package-lock.json.
- Updated serialize-javascript from 6.0.2 to 7.0.5, adding a node engine requirement in package-lock.json.
- Added axios version override in package.json to ensure compatibility.

* chore(deps): update axios and serialize-javascript in wrapper registry

- Updated axios to version 0.30.3 in package-lock.json, replacing the previous version 1.15.2.
- Added version overrides for axios and serialize-javascript in package.json to ensure compatibility.
- Removed outdated proxy-from-env version 2.1.0 and added version 1.1.0 for various dependencies in package-lock.json.

* chore(deps): update serialize-javascript and add axios override in confidential-wrapper

- Updated serialize-javascript to version 7.0.5 in package-lock.json, including a node engine requirement.
- Added version override for axios in package.json to ensure compatibility with the updated dependencies.

* chore(deps): update lodash to version 4.18.1 and serialize-javascript to version 7.0.5 with overrides

- Updated lodash to version 4.18.1 in package-lock.json, including a version override in package.json.
- Updated serialize-javascript to version 7.0.5 in package-lock.json, adding a node engine requirement and an override in package.json.

* chore(deps): undo audit fix to OpenZeppelin contracts version overrides in governance

- Removed outdated version overrides for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable in both package.json and pnpm-lock.yaml.
- Updated the version constraints for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to support versions ^4.8.1 and ^5.0.0, ensuring compatibility with the latest releases.

* chore(deps): update package dependencies in safe

- Removed "peer" flags from several dependencies in package-lock.json to streamline configuration.
- Updated glob to version 10.5.0 in package.json and package-lock.json, ensuring compatibility with the latest features and security fixes.
- Added version overrides for axios, ws, elliptic, lodash, serialize-javascript, and glob in package.json to maintain compatibility across the project.

* chore(deps): update OpenZeppelin contracts version constraints in solanaOFT

- Removed outdated version overrides for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable in package.json and pnpm-lock.yaml.
- Updated version constraints to support versions ^4.8.1 and ^5.0.0, ensuring compatibility with the latest releases.

* chore(deps): update package-lock.json and package.json for staking

- Added new dependency @isaacs/fs-minipass version 4.0.1 in package-lock.json.
- Updated serialize-javascript to version 7.0.5 with a new node engine requirement in package-lock.json.
- Updated tar to version 7.5.13 and adjusted its dependencies in package-lock.json.
- Added version overrides for axios, ws, tar, and serialize-javascript in package.json to ensure compatibility across the project.

* chore(deps): update OpenZeppelin contracts version constraints in token

- Removed outdated version overrides for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable in package.json and pnpm-lock.yaml.
- Updated version constraints to support versions ^4.8.1 and ^5.0.0, ensuring compatibility with the latest releases.

* chore(deps): add lodash version overrides for layerzerolabs SDKs in chains-config-checker

- Introduced version overrides for lodash to ^4.18.1 specifically for @layerzerolabs/lz-solana-sdk-v2 and @layerzerolabs/oft-v2-solana-sdk in package.json, ensuring compatibility with these dependencies.

* chore(deps): use package level overrides across multiple packages

- Added version overrides for axios and serialize-javascript in package.json files for confidential-batcher, confidential-token-wrappers-registry, confidential-wrapper, and staking to ensure compatibility with updated dependencies.
- Updated package-lock.json files to reflect the new axios version 0.31.1 and added proxy-from-env as a dependency in hardhat-deploy.
- Ensured consistent axios and serialize-javascript versions across hardhat-related packages to maintain compatibility.

* chore(deps): downgrade ws version in package-lock.json for compatibility

- Changed ws version from 8.18.0 to 7.5.10 in package-lock.json to ensure compatibility with existing dependencies.
- Updated node engine requirement for ws to >=8.3.0 and adjusted peer dependency for utf-8-validate to ^5.0.2.

* chore(deps): add elliptic version override in staking package.json

- Introduced a version override for elliptic to 6.6.1 in package.json to ensure compatibility with existing dependencies.

* chore(deps): remove overrides from package.json in governance and solanaOFT

- Eliminated unnecessary version overrides for various dependencies in package.json files for governance and solanaOFT, streamlining dependency management and ensuring compatibility with existing versions.

* chore(deps): simplify pnpm overrides from audit fix

* chore(deps): update dependabot configuration and mark repositories as deprecated

- Added exclusion paths for `feesBurner` and `pauserSetWrapper` in the dependabot configuration to prevent updates.
- Updated README files for `feesBurner` and `pauserSetWrapper` to indicate that these repositories are deprecated and no longer maintained.

* chore(deps): update ws version in package-lock.json for safe and staking

- Updated ws version from 7.5.10 to 8.17.1 in the safe package-lock.json for improved compatibility.
- Downgraded ws version from 8.18.0 to 7.5.10 in the staking package-lock.json to maintain compatibility with existing dependencies.
- Adjusted node engine requirements and peer dependencies accordingly.

* fix: trigger ci

* chore(deps): regen staking lock file

* chore(deps): update undici version in package.json and pnpm-lock.yaml

- Changed undici dependency version from <6.24.0 to ^6.24.0 in package.json files for governance and token.
- Updated undici version from 8.1.0 to 6.25.0 in pnpm-lock.yaml files for governance and token to ensure compatibility with existing dependencies.

* chore(ci): add Node.js setup step in GitHub Actions workflow for staking

- Introduced a new step to set up Node.js version 20.x in the contracts-staking-hardhat-tests.yml workflow.
- Configured caching for npm dependencies to optimize build times.

* chore(deps): allow higher version ranges for tar and ws in staking

* chore(deps): move ws and tar to top-level overrides in staking

Author: Seth-Schmidt

.github/dependabot.yml

@@ -15,3 +15,6 @@ updates:
       interval: "weekly"
     # Set to 0 to prevent version updates (i.e. require only security updates)
     open-pull-requests-limit: 0
+    exclude-paths:
+      - contracts/feesBurner/
+      - contracts/pauserSetWrapper/

.github/workflows/contracts-staking-hardhat-tests.yml

@@ -29,6 +29,13 @@ jobs:
         with:
           persist-credentials: 'false'
 
+      - name: Setup Node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 20.x
+          cache: npm
+          cache-dependency-path: contracts/staking/package-lock.json
+
       - name: Install dependencies
         working-directory: contracts/staking
         run: npm ci

contracts/chains-config-checker/package-lock.json

@@ -28,6 +28,12 @@
     "ethers": "^6.0.0"
   },
   "overrides": {
-    "@solana/web3.js": "~1.95.8"
+    "@solana/web3.js": "~1.95.8",
+    "@layerzerolabs/lz-solana-sdk-v2": {
+      "lodash": "^4.18.1"
+    },
+    "@layerzerolabs/oft-v2-solana-sdk": {
+      "lodash": "^4.18.1"
+    }
   }
 }

contracts/chains-config-checker/package.json

@@ -55,6 +55,18 @@
     "test:sepolia": "hardhat test --network sepolia"
   },
   "overrides": {
-    "@fhevm/solidity": "^0.11.1"
+    "@fhevm/solidity": "^0.11.1",
+    "hardhat-deploy": {
+      "axios": "^1.15.0"
+    },
+    "hardhat": {
+      "serialize-javascript": "^7.0.3"
+    },
+    "mocha": {
+      "serialize-javascript": "^7.0.3"
+    },
+    "solidity-coverage": {
+      "serialize-javascript": "^7.0.3"
+    }
   }
 }