Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion libs/combined/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
"groestlcoinjs-lib": "git://github.com/Groestlcoin/groestlcoinjs-lib.git#3.3.2",
"handshake-util": "1.2.0",
"javascript-biginteger": "0.9.2",
"jsrsasign": "^8.0.19",
"jsrsasign": "^11.1.1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 package-lock.json not updated to match new jsrsasign version range

The package.json bumps jsrsasign from ^8.0.19 to ^11.1.1, but libs/combined/package-lock.json still pins jsrsasign to version 8.0.24 (libs/combined/package-lock.json:5061-5064). Version 8.0.24 does not satisfy the new ^11.1.1 range (different major version). This means npm ci will fail due to the mismatch between package.json and package-lock.json, and the security fix this PR intends to deliver will not actually be installed in reproducible builds.

Prompt for agents
Run `npm install` (or `npm i`) inside the libs/combined directory to regenerate the package-lock.json file so that it resolves jsrsasign to a version satisfying ^11.1.1. Then commit the updated libs/combined/package-lock.json alongside the package.json change. Without this, `npm ci` will fail and the intended version upgrade will not take effect.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lock file not updated, security fix ineffective

High Severity

The package-lock.json was not updated alongside this package.json change. The lockfile still pins jsrsasign at 8.0.24 (the vulnerable version), so npm ci will either fail due to the mismatch or continue installing the vulnerable version. Additionally, jsrsasign is not directly imported in index.js — it's only consumed as a transitive dependency of elastos-wallet-js, which requires ^8.0.12. Since ^11.1.1 doesn't satisfy ^8.0.12, npm will still install a vulnerable 8.x copy nested under elastos-wallet-js, meaning the security fix does not actually protect the code that uses the library.

Fix in Cursor Fix in Web

"kjua": "0.6.0",
"nanocurrency-web": "^1.2.2",
"nebulas": "0.5.6",
Expand Down
Loading