[Snyk] Security upgrade stellar-base from 0.10.0 to 13.1.0#30
[Snyk] Security upgrade stellar-base from 0.10.0 to 13.1.0#30revan-zhang wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15869625 - https://snyk.io/vuln/SNYK-JS-LODASH-15869619
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "nanocurrency-web": "^1.2.2", | ||
| "nebulas": "0.5.6", | ||
| "stellar-base": "^0.10.0", | ||
| "stellar-base": "^13.1.0", |
There was a problem hiding this comment.
🔴 package-lock.json not updated, stellar-base still resolves to vulnerable v0.10.0
The PR updates stellar-base from ^0.10.0 to ^13.1.0 in libs/combined/package.json to reduce vulnerabilities, but libs/combined/package-lock.json was not updated and still resolves stellar-base to version 0.10.0 (libs/combined/package-lock.json:2895). This means: (1) npm ci will fail because the lockfile is inconsistent with package.json (0.10.0 does not satisfy ^13.1.0), (2) the vulnerability fix is not actually locked in — the stated goal of the PR is not achieved, and (3) the pre-built bundle src/js/bip39-libs.js still contains the old v0.10.0 code, so even after a rebuild the lockfile would need updating first.
Prompt for agents
The package-lock.json at libs/combined/package-lock.json needs to be regenerated to match the stellar-base version bump from ^0.10.0 to ^13.1.0. Currently the lockfile still resolves stellar-base to 0.10.0 (see lines 2894-2912 and 5754-5767 in the lockfile, plus line 33 in the packages section). Run `cd libs/combined && npm install` to regenerate the lockfile, then verify the resolved version satisfies ^13.1.0. Additionally, after updating the lockfile, the pre-built bundle at src/js/bip39-libs.js should be rebuilt using `npm run build` to actually incorporate the new stellar-base version. Without these steps, the stated goal of reducing vulnerabilities is not achieved. Also verify that the stellar-base v13.x API is compatible with the usage in libs/combined/index.js:84 (Keypair.fromRawEd25519Seed) and src/js/index.js:1306-1309 (keypair.secret(), keypair.publicKey()), since this is a jump of 13 major versions.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
libs/combined/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15869625
SNYK-JS-LODASH-15869619
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Arbitrary Code Injection