From 46392605059071aae06580f86d23b61be11513c0 Mon Sep 17 00:00:00 2001 From: Jeremy Lee Date: Mon, 15 Jun 2026 16:52:28 -0400 Subject: [PATCH] fix: bump transitive ws off vulnerable 8.17.1 via scoped resolution ws@8.17.1 is pulled by ethers@6.13.5 <- tronweb <- funkit's relay deps and trips dependency-review on two advisories: - GHSA-96hv-2xvq-fx4p (high) ws 8.x affected < 8.21.0 (first patched 8.21.0) - GHSA-58qx-3vcg-4xpx (medium) ws 8.x affected < 8.20.1 (first patched 8.20.1) Add a scoped resolution so ethers' ws resolves to ^8.21.0 (already in the tree, patched for BOTH advisories) instead of 8.17.1: "resolutions": { "tronweb/ethers/ws": "^8.21.0" } - Anchored at tronweb (a direct dep), not the transitive ethers: yarn-classic won't apply a selective resolution anchored at a deeply-transitive package. - Scoped, not global: a global ws resolution would drag WalletConnect's ws@7.x to 8.x. This leaves ws@7.5.11 (already patched for the 7.x range) untouched. Verified: no ws resolves to 8.17.1; ethers' ws -> 8.21.0; ws@7.5.11 unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- package.json | 5 +++-- yarn.lock | 13 ++++--------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index 7610c04f46..e370185e8b 100644 --- a/package.json +++ b/package.json @@ -10,7 +10,8 @@ "@types/react": "^18.3.30", "@types/react-dom": "^18.3.7", "bignumber.js": "^9.3.1", - "axios": "^1.18.0" + "axios": "^1.18.0", + "tronweb/ethers/ws": "^8.21.0" }, "scripts": { "dev": "next dev", @@ -171,4 +172,4 @@ "budgetPercentIncreaseRed": 20, "showDetails": true } -} \ No newline at end of file +} diff --git a/yarn.lock b/yarn.lock index ba8a8b4aba..e579360def 100644 --- a/yarn.lock +++ b/yarn.lock @@ -15653,10 +15653,10 @@ write-file-atomic@^4.0.2: imurmurhash "^0.1.4" signal-exit "^3.0.7" -ws@8.17.1: - version "8.17.1" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b" - integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ== +ws@8.17.1, ws@^8.11.0, ws@^8.19.0, ws@^8.21.0, ws@^8.5.0: + version "8.21.0" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.21.0.tgz#012e413fc07429945121b0c153158c4343086951" + integrity sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g== ws@8.18.0: version "8.18.0" @@ -15678,11 +15678,6 @@ ws@^7.3.1, ws@^7.5.1, ws@^7.5.10: resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.11.tgz#9460daf1812bb81a423c5b9eac746941a86310fa" integrity sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA== -ws@^8.11.0, ws@^8.19.0, ws@^8.5.0: - version "8.21.0" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.21.0.tgz#012e413fc07429945121b0c153158c4343086951" - integrity sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g== - xml-name-validator@^4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-4.0.0.tgz#79a006e2e63149a8600f15430f0a4725d1524835"