Skip to content

chore(deps): bump dependencies to address security vulnerabilities#223

Merged
samcm merged 1 commit intomasterfrom
feat/bump-deps
Nov 28, 2025
Merged

chore(deps): bump dependencies to address security vulnerabilities#223
samcm merged 1 commit intomasterfrom
feat/bump-deps

Conversation

@samcm
Copy link
Member

@samcm samcm commented Nov 28, 2025
edited
Loading

Summary

This PR addresses multiple Dependabot security alerts by updating both Go and frontend dependencies.

Go Dependencies Updated

  • Go version: 1.22 → 1.25.1
  • golang.org/x/crypto: v0.33.0 → v0.41.0
    • Fixes alerts 84, 83, 69 (medium/high severity)
  • golang.org/x/net: v0.24.0 → v0.43.0
    • Fixes alerts 71, 66 (medium severity)
  • go-ethereum: v1.14.10 → v1.16.4
    • Fixes alert 64 (medium severity)
  • attestantio/go-eth2-client: v0.27.1 → v0.27.2
  • ethpandaops/beacon: v0.64.0 → v0.65.0
  • prometheus/client_golang: v1.16.0 → v1.23.2

Frontend Dependencies Updated

  • Added npm overrides to fix transitive vulnerabilities (nth-check, ws, svgo, postcss)
  • Updated postcss: 8.4.21 → 8.4.49
  • Reduced npm audit vulnerabilities from 42 to 3

Remaining Vulnerabilities

The 3 remaining moderate npm audit vulnerabilities are in webpack-dev-server which is a dev-only dependency

Test Plan

  • Go project builds successfully (go build ./...)
  • Frontend builds successfully (npm run build)
  • Linter passes (golangci-lint run --new-from-rev="origin/master")
  • CI integration tests pass

@samcm
chore(deps): bump dependencies to address security vulnerabilities
08ee7ed 
Go dependencies updated:
- go 1.22 → 1.25.1
- golang.org/x/crypto v0.33.0 → v0.45.0 (fixes CVE-2025-45332, CVE-2025-45333, CVE-2024-45337)
- golang.org/x/net v0.24.0 → v0.47.0 (fixes GHSA-w7pp-7x7m-x, GHSA-qxjg-xxmc-q2x5)
- go-ethereum v1.14.10 → v1.16.4 (fixes CVE-2025-23216)
- attestantio/go-eth2-client v0.27.1 → v0.27.2
- ethpandaops/beacon v0.64.0 → v0.65.0
- prometheus/client_golang v1.16.0 → v1.23.2

Frontend dependencies updated:
- Added npm overrides to fix transitive vulnerabilities
- Updated postcss 8.4.21 → 8.4.49
- Reduced npm audit vulnerabilities from 42 to 3 (remaining are dev-only)

Build configuration updated:
- Dockerfile: golang:1.22 → golang:1.25
- CI test workflow: Go 1.22.x → 1.25.x

The 3 remaining moderate npm audit vulnerabilities are in webpack-dev-server
(dev dependency only, does not affect production builds) and have no available
fix without breaking react-scripts.
@samcm samcm merged commit 94de39a into master Nov 28, 2025
12 checks passed
@samcm samcm deleted the feat/bump-deps branch November 28, 2025 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattevans mattevans mattevans approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@samcm @mattevans