From 83d7faa4cb0bc03c543c2fa7a1051f8e84a9a28a Mon Sep 17 00:00:00 2001 From: spsjvc Date: Mon, 5 May 2025 09:48:43 +0200 Subject: [PATCH 1/3] bump base-x --- package.json | 3 ++- src/package.json | 3 +++ yarn.lock | 8 ++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 7646eecf..96de47f7 100644 --- a/package.json +++ b/package.json @@ -35,6 +35,7 @@ "**/@wagmi/cli/viem/ws": "8.17.1", "**/@ethersproject/providers/ws": "7.5.10", "**/elliptic": "6.6.1", - "**/nanoid": "3.3.8" + "**/nanoid": "3.3.8", + "**/base-x": "3.0.11" } } diff --git a/src/package.json b/src/package.json index bae06fdb..fc6cc13f 100644 --- a/src/package.json +++ b/src/package.json @@ -56,5 +56,8 @@ "@offchainlabs/fund-distribution-contracts": "^1.0.1", "@safe-global/protocol-kit": "^4.0.2", "ethers": "^5.7.2" + }, + "resolutions": { + "**/base-x": "3.0.11" } } diff --git a/yarn.lock b/yarn.lock index faa9c736..7faed49d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1168,10 +1168,10 @@ balanced-match@^1.0.0: resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee" integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw== -base-x@^3.0.2: - version "3.0.9" - resolved "https://registry.yarnpkg.com/base-x/-/base-x-3.0.9.tgz#6349aaabb58526332de9f60995e548a53fe21320" - integrity sha512-H7JU6iBHTal1gp56aKoaa//YUxEaAOUiydvrV/pILqIHXTtqxSkATOnDA2u+jZ/61sD+L/412+7kzXRtWukhpQ== +base-x@3.0.11, base-x@^3.0.2: + version "3.0.11" + resolved "https://registry.yarnpkg.com/base-x/-/base-x-3.0.11.tgz#40d80e2a1aeacba29792ccc6c5354806421287ff" + integrity sha512-xz7wQ8xDhdyP7tQxwdteLYeFfS68tSMNCZ/Y37WJ4bhGfKPpqEIlmIyueQHqOyoPhE6xNUqjzRr8ra0eF9VRvA== dependencies: safe-buffer "^5.0.1" From fa415ba3d26253d2753c991282e054861963fa4e Mon Sep 17 00:00:00 2001 From: spsjvc Date: Mon, 5 May 2025 09:50:46 +0200 Subject: [PATCH 2/3] remove unnecessary advisory --- audit-ci.jsonc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/audit-ci.jsonc b/audit-ci.jsonc index 8a81bf0d..6adb14de 100644 --- a/audit-ci.jsonc +++ b/audit-ci.jsonc @@ -72,11 +72,6 @@ // https://github.com/cryptocoinjs/secp256k1-node/commit/dc37f41f2abfe87853b54bcd7d1b556db41b0c64#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R35 // from: @arbitrum/token-bridge-contracts > @openzeppelin/upgrades-core > ethereumjs-util > ethereum-cryptography "GHSA-584q-6j8j-r5pm", - // https://github.com/advisories/GHSA-fc9h-whq2-v747 - // Valid ECDSA signatures erroneously rejected in Elliptic - // from: @arbitrum/token-bridge-contracts > @openzeppelin/upgrades-core > ethereumjs-util > ethereum-cryptography > secp256k1 - // from: ethers > @ethersproject/signing-key - "GHSA-fc9h-whq2-v747", // https://github.com/advisories/GHSA-3xgq-45jj-v275 // cross-spawn command injection vulnerability // Only used during development via audit-ci, nyc, and patch-package From d97b243fa568353e2b78a95becf2fecce241012d Mon Sep 17 00:00:00 2001 From: spsjvc Date: Mon, 5 May 2025 10:38:08 +0200 Subject: [PATCH 3/3] add advisory --- audit-ci.jsonc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/audit-ci.jsonc b/audit-ci.jsonc index 6adb14de..c730cffa 100644 --- a/audit-ci.jsonc +++ b/audit-ci.jsonc @@ -96,12 +96,16 @@ // https://github.com/advisories/GHSA-xcj6-pq6g-qj4x // the vite dev server (when exposed to the network with --host) can return contents of arbitrary files // + // https://github.com/advisories/GHSA-859w-5945-r5v3 + // the vite dev server (when exposed to the network with --host) can return contents of arbitrary files + // // vite is only used with vitest for running tests, and without exposing the dev server to the network // // from: vitest>vite // from: vitest>vite-node>vite "GHSA-4r4m-qw57-chr8", "GHSA-356w-63v5-8wf4", - "GHSA-xcj6-pq6g-qj4x" + "GHSA-xcj6-pq6g-qj4x", + "GHSA-859w-5945-r5v3" ] }