fix(js-legacy): Removes transitive dependency on bigint-buffer #916
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
This PR removes the transitive dependency on the vulnerable and unmaintained bigint-buffer package (CVE-2025-3194) by replacing @solana/buffer-layout-utils with a custom implementation based on @solana/codecs.
- Implements codec-based Layout adapters (FixedSizeCodecLayout and OptionCodecLayout) to bridge @solana/codecs with @solana/buffer-layout
- Replaces all imports of serialization utilities from @solana/buffer-layout-utils with the new local implementation
- Updates dependencies to use @solana/codecs-* packages (version 5.1.0) in place of @solana/buffer-layout-utils
Reviewed changes
Copilot reviewed 43 out of 44 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| clients/js-legacy/src/serialization.ts | Implements new codec-based Layout classes and exports bool, publicKey, and u64 functions to replace @solana/buffer-layout-utils functionality |
| clients/js-legacy/src/state/multisig.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/state/mint.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/state/account.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/transferChecked.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/transfer.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/setAuthority.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/mintToChecked.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/mintTo.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/initializePermanentDelegate.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/initializeMint2.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/initializeMint.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/initializeAccount3.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/initializeAccount2.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/burnChecked.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/burn.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/approveChecked.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/approve.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/instructions/amountToUiAmount.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/transferHook/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/transferHook/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/transferFee/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/transferFee/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/tokenGroup/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/scaledUiAmount/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/scaledUiAmount/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/permanentDelegate.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/pausable/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/pausable/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/mintCloseAuthority.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/metadataPointer/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/metadataPointer/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/memoTransfer/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/interestBearingMint/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/interestBearingMint/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/groupPointer/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/groupPointer/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/groupMemberPointer/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/groupMemberPointer/instructions.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/extensions/cpiGuard/state.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/src/actions/uiAmountToAmount.ts | Updates imports to use local serialization module instead of @solana/buffer-layout-utils |
| clients/js-legacy/pnpm-lock.yaml | Removes @solana/buffer-layout-utils and its transitive dependencies (bigint-buffer, bignumber.js, bindings, file-uri-to-path); adds @solana/codecs-* packages at version 5.1.0 |
| clients/js-legacy/package.json | Removes @solana/buffer-layout-utils dependency and adds @solana/codecs-core, @solana/codecs-data-structures, and @solana/codecs-numbers at version 5.1.0; updates @solana/codecs-strings to 5.1.0 |
| clients/js-legacy/README.md | Clarifies that the local test validator should be started before running tests |
Files not reviewed (1)
- clients/js-legacy/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replaces the use of @solana/buffer-layout-utils, which depends on the unmaintained bigint-buffer package vulnerable to CVE-2025-3194, with @solana/codecs backed Layout implementation.
dhl
force-pushed
the
fix/remove-bigint-buffer
branch
from
4acaadd to
af536d3
Compare
Author
|
Closing this in favor of fixing the vulnerability in https://github.com/solana-foundation/buffer-layout-utils |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replaces the use of
@solana/buffer-layout-utils, which depends on the unmaintainedbigint-bufferpackage vulnerable to CVE-2025-3194, with@solana/codecsbacked Layout implementation.While
@solana/spl-tokenisn't directly vulnerable to buffer overflow as none of its code path usestoBigIntLE()frombigint-buffer, removing the dependency onbigint-bufferremoves the high severity vulnerability flag on@solana/spl-token.fixes #453