fix: bump transitive ws off vulnerable 8.17.1 (dependency-review)#3019
Open
yogurtandjam wants to merge 1 commit into
Open
fix: bump transitive ws off vulnerable 8.17.1 (dependency-review)#3019yogurtandjam wants to merge 1 commit into
yogurtandjam wants to merge 1 commit into
Conversation
|
@yogurtandjam is attempting to deploy a commit to the Aave Team on Vercel. A member of the Team first needs to authorize it. |
ws@8.17.1 is pulled by ethers@6.13.5 <- tronweb <- funkit's relay deps and trips dependency-review on two advisories: - GHSA-96hv-2xvq-fx4p (high) ws 8.x affected < 8.21.0 (first patched 8.21.0) - GHSA-58qx-3vcg-4xpx (medium) ws 8.x affected < 8.20.1 (first patched 8.20.1) Add a scoped resolution so ethers' ws resolves to ^8.21.0 (already in the tree, patched for BOTH advisories) instead of 8.17.1: "resolutions": { "tronweb/ethers/ws": "^8.21.0" } - Anchored at tronweb (a direct dep), not the transitive ethers: yarn-classic won't apply a selective resolution anchored at a deeply-transitive package. - Scoped, not global: a global ws resolution would drag WalletConnect's ws@7.x to 8.x. This leaves ws@7.5.11 (already patched for the 7.x range) untouched. Verified: no ws resolves to 8.17.1; ethers' ws -> 8.21.0; ws@7.5.11 unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
yogurtandjam
force-pushed
the
fix/bump-ws
branch
from
0de33db to
4639260
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
dependency-reviewfails onws@8.17.1(pulled transitively:@funkit/connect→@funkit/fun-relay→@relayprotocol/*→tronweb@6.3.0→ethers@6.13.5, which pinsws@8.17.1). Two advisories apply, per the GitHub Advisory DB:< 8.21.0< 8.20.18.17.1is the only net-newws@8.xthis branch line adds vsmain(which already has 8.18.0/8.18.3/8.20.1/8.21.0).Fix
Scoped yarn resolution so
ethers'swsresolves to^8.21.0— patched for both advisories and already in the tree (clean dedupe, no net-new vulnerable version):tronweb(a direct dependency), not the transitiveethers— yarn-classic ignores a selective resolution anchored at a deeply-transitive package ("ethers/ws"had no effect)."ws"resolution would drag WalletConnect'sws@7.x → 8.x; this leavesws@7.5.11(already patched for the 7.x range) untouched.Verification (post
yarn install)wsresolves to8.17.1(the only PR-net-newws@8.x)ethers'swsrequirement now resolves to8.21.0ws@7.5.11(WalletConnect) unchangedwsis Node-only; ethers/WalletConnect use nativeWebSocketin the browser — so runtime impact is negligible.🤖 Generated with Claude Code