chore(deps): pro 72 chore solve critical and high dependency vulnerabilities from dependabot#125
Merged
Seth-Schmidt merged 25 commits intomainfrom Apr 28, 2026
Conversation
…ns-config-checker
…to version 7.0.5 - Bumped axios from 1.15.0 to 1.15.2 in package-lock.json. - Updated serialize-javascript from 6.0.2 to 7.0.5, adding a node engine requirement in package-lock.json. - Added axios version override in package.json to ensure compatibility.
- Updated axios to version 0.30.3 in package-lock.json, replacing the previous version 1.15.2. - Added version overrides for axios and serialize-javascript in package.json to ensure compatibility. - Removed outdated proxy-from-env version 2.1.0 and added version 1.1.0 for various dependencies in package-lock.json.
…nfidential-wrapper - Updated serialize-javascript to version 7.0.5 in package-lock.json, including a node engine requirement. - Added version override for axios in package.json to ensure compatibility with the updated dependencies.
… to version 7.0.5 with overrides - Updated lodash to version 4.18.1 in package-lock.json, including a version override in package.json. - Updated serialize-javascript to version 7.0.5 in package-lock.json, adding a node engine requirement and an override in package.json.
…es in governance - Removed outdated version overrides for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable in both package.json and pnpm-lock.yaml. - Updated the version constraints for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to support versions ^4.8.1 and ^5.0.0, ensuring compatibility with the latest releases.
- Removed "peer" flags from several dependencies in package-lock.json to streamline configuration. - Updated glob to version 10.5.0 in package.json and package-lock.json, ensuring compatibility with the latest features and security fixes. - Added version overrides for axios, ws, elliptic, lodash, serialize-javascript, and glob in package.json to maintain compatibility across the project.
…anaOFT - Removed outdated version overrides for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable in package.json and pnpm-lock.yaml. - Updated version constraints to support versions ^4.8.1 and ^5.0.0, ensuring compatibility with the latest releases.
- Added new dependency @isaacs/fs-minipass version 4.0.1 in package-lock.json. - Updated serialize-javascript to version 7.0.5 with a new node engine requirement in package-lock.json. - Updated tar to version 7.5.13 and adjusted its dependencies in package-lock.json. - Added version overrides for axios, ws, tar, and serialize-javascript in package.json to ensure compatibility across the project.
- Removed outdated version overrides for @openzeppelin/contracts and @openzeppelin/contracts-upgradeable in package.json and pnpm-lock.yaml. - Updated version constraints to support versions ^4.8.1 and ^5.0.0, ensuring compatibility with the latest releases.
…hains-config-checker - Introduced version overrides for lodash to ^4.18.1 specifically for @layerzerolabs/lz-solana-sdk-v2 and @layerzerolabs/oft-v2-solana-sdk in package.json, ensuring compatibility with these dependencies.
- Added version overrides for axios and serialize-javascript in package.json files for confidential-batcher, confidential-token-wrappers-registry, confidential-wrapper, and staking to ensure compatibility with updated dependencies. - Updated package-lock.json files to reflect the new axios version 0.31.1 and added proxy-from-env as a dependency in hardhat-deploy. - Ensured consistent axios and serialize-javascript versions across hardhat-related packages to maintain compatibility.
- Changed ws version from 8.18.0 to 7.5.10 in package-lock.json to ensure compatibility with existing dependencies. - Updated node engine requirement for ws to >=8.3.0 and adjusted peer dependency for utf-8-validate to ^5.0.2.
- Introduced a version override for elliptic to 6.6.1 in package.json to ensure compatibility with existing dependencies.
…anaOFT - Eliminated unnecessary version overrides for various dependencies in package.json files for governance and solanaOFT, streamlining dependency management and ensuring compatibility with existing versions.
… deprecated - Added exclusion paths for `feesBurner` and `pauserSetWrapper` in the dependabot configuration to prevent updates. - Updated README files for `feesBurner` and `pauserSetWrapper` to indicate that these repositories are deprecated and no longer maintained.
- Updated ws version from 7.5.10 to 8.17.1 in the safe package-lock.json for improved compatibility. - Downgraded ws version from 8.18.0 to 7.5.10 in the staking package-lock.json to maintain compatibility with existing dependencies. - Adjusted node engine requirements and peer dependencies accordingly.
- Changed undici dependency version from <6.24.0 to ^6.24.0 in package.json files for governance and token. - Updated undici version from 8.1.0 to 6.25.0 in pnpm-lock.yaml files for governance and token to ensure compatibility with existing dependencies.
- Introduced a new step to set up Node.js version 20.x in the contracts-staking-hardhat-tests.yml workflow. - Configured caching for npm dependencies to optimize build times.
gasp
approved these changes
Apr 28, 2026
Contributor
There was a problem hiding this comment.
« Cet univers désormais sans maître ne lui paraît ni stérile, ni futile. Chacun des grains de cette pierre, chaque éclat minéral de cette montagne pleine de nuit, à lui seul, forme un monde. La lutte elle-même vers les sommets suffit à remplir un cœur d'homme. Il faut imaginer Sisyphe heureux. »
Albert Camus, in The Myth of Sisyphus
jatZama
approved these changes
Apr 28, 2026
Seth-Schmidt
deleted the
feature/pro-72-chore-solve-criticalhigh-dependency-vulnerabilities-from
branch
This was referenced Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Addresses critical and high severity dependency vulnerabilities surfaced by dependabot across all packages under
contracts/. The fix is implemented primarily through scoped package-manager overrides rather than direct dependency bumps as most parent dependencies do not cover the target ranges (LayerZero tooling + Hardhat).Changes by package
Repository-level
.github/dependabot.yml— addsexclude-pathsforcontracts/feesBurner/andcontracts/pauserSetWrapper/(now deprecated/archived).contracts/feesBurner/README.md,contracts/pauserSetWrapper/README.md— prepend a deprecation/archive warning banner.pnpm workspaces (broad CVE override sweeps)
These packages received large
pnpm.overridesblocks pinning vulnerable transitive packages to patched ranges. Override block was generated bypnpm auditand duplicate entries condensed by Claude.contracts/governance/package.json— removed the duplicated top-leveloverridesand consolidated everything underpnpm.overrides; added ~25 CVE pins.contracts/solanaOFT/package.json— same consolidation; added pins includingprotobufjs,valibot,yargs-parser.contracts/token/package.json— adds the largest set, including pins for@eslint/plugin-kit,@hono/node-server,@modelcontextprotocol/sdk,hono,path-to-regexpv8 range, etc.npm workspaces (targeted, scoped overrides)
These packages use npm-style nested
overridesto scope fixes to specific parent dependencies manually:contracts/safe/package.json— scoped overrides forhardhat-deploy(elliptic,ws),hardhat(serialize-javascript,lodash),solhint(lodash); top-levelaxiosandglobbumps.contracts/staking/package.json— scopedserialize-javascript,axios,ws,tar,globfixes acrosshardhat,hardhat-deploy,@openzeppelin/hardhat-upgrades,hardhat-gas-reporter,mocha,solidity-coverage,sqlite3. Keeps the existingelliptic6.6.1 pin.contracts/confidential-batcher/package.json— scopedaxios(underhardhat-deploy) andserialize-javascript(underhardhat/mocha/solidity-coverage).contracts/confidential-wrapper/package.json— same pattern; scopedaxiosunderhardhat-deploy,hardhat-gas-reporter,@openzeppelin/hardhat-upgrades, plusserialize-javascriptfixes.contracts/chains-config-checker/package.json— scopedlodash@^4.18.1under@layerzerolabs/lz-solana-sdk-v2and@layerzerolabs/oft-v2-solana-sdk.contracts/fhevm-cli/package.json— scopedlodashandserialize-javascriptunderhardhatand@trivago/prettier-plugin-sort-imports.contracts/confidential-fhevm-wrapper-registry/package.json— adds anoverridesblock withaxiosandserialize-javascriptfixes (see file diff).Deprecation
feesBurnerandpauserSetWrapperare intentionally excluded from further Dependabot updates because they are archived/deprecated.