Bump eventsource from 1.1.0 to 1.1.1

[dependabot]

Bumps eventsource from 1.1.0 to 1.1.1.

Changelog

Sourced from eventsource's changelog.

1.1.1

• Do not include authorization and cookie headers on redirect to different origin (#273 Espen Hovlandsdal)

Commits

• aa7a408 1.1.1
• 56d489e chore: rebuild polyfill
• 4a951e5 docs: update history for 1.1.1
• f9f6416 fix: strip sensitive headers on redirect to different origin
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[foxpatch-aleph]

This is a Dependabot security patch bumping eventsource from 1.1.0 to 1.1.1, which fixes CVE-2022-1650 — a vulnerability where authorization and cookie headers were incorrectly forwarded on cross-origin redirects, potentially exposing credentials. The lock file changes are consistent with this update: eventsource itself is bumped in both package-lock.json and yarn.lock, and the surrounding churn reflects transitive dependency resolution updates (e.g., @solana/web3.js major bump from 0.90.5 to 1.43.4, rpc-websockets, jayson, superstruct, ws updates). These transitive changes appear to be legitimate dependency graph re-resolutions triggered by the update and are consistent with a clean npm/yarn install. The security fix is legitimate, minimal in scope, and appropriate to merge.

package-lock.json (line None): The diff includes a significant upgrade of @solana/web3.js from 0.90.5 to 1.43.4 as a transitive dependency change. This is a major version bump with breaking API changes in the Solana SDK. While this appears to be an incidental lock file resolution change (not a direct dependency change), it's worth verifying that the app doesn't directly import or rely on internals of @solana/web3.js at the old API surface, and running the test suite to confirm nothing is broken.

yarn.lock (line None): The yarn.lock splits url-parse into two separate resolutions: ^1.4.3 gets 1.5.10 and ^1.5.3 gets 1.5.4. This is an unusual split that could indicate a version conflict in the dependency tree. Not a blocker, but worth monitoring — url-parse 1.5.3 and below had known SSRF vulnerabilities, so ensure any consumer of the ^1.5.3 range is using a patched version. In this case 1.5.4 is fine.