Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion libs/combined/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"kjua": "0.6.0",
"nanocurrency-web": "^1.2.2",
"nebulas": "0.5.6",
"stellar-base": "^0.10.0",
"stellar-base": "^13.1.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 package-lock.json not updated, stellar-base still resolves to vulnerable v0.10.0

The PR updates stellar-base from ^0.10.0 to ^13.1.0 in libs/combined/package.json to reduce vulnerabilities, but libs/combined/package-lock.json was not updated and still resolves stellar-base to version 0.10.0 (libs/combined/package-lock.json:2895). This means: (1) npm ci will fail because the lockfile is inconsistent with package.json (0.10.0 does not satisfy ^13.1.0), (2) the vulnerability fix is not actually locked in — the stated goal of the PR is not achieved, and (3) the pre-built bundle src/js/bip39-libs.js still contains the old v0.10.0 code, so even after a rebuild the lockfile would need updating first.

Prompt for agents
The package-lock.json at libs/combined/package-lock.json needs to be regenerated to match the stellar-base version bump from ^0.10.0 to ^13.1.0. Currently the lockfile still resolves stellar-base to 0.10.0 (see lines 2894-2912 and 5754-5767 in the lockfile, plus line 33 in the packages section). Run `cd libs/combined && npm install` to regenerate the lockfile, then verify the resolved version satisfies ^13.1.0. Additionally, after updating the lockfile, the pre-built bundle at src/js/bip39-libs.js should be rebuilt using `npm run build` to actually incorporate the new stellar-base version. Without these steps, the stated goal of reducing vulnerabilities is not achieved. Also verify that the stellar-base v13.x API is compatible with the usage in libs/combined/index.js:84 (Keypair.fromRawEd25519Seed) and src/js/index.js:1306-1309 (keypair.secret(), keypair.publicKey()), since this is a jump of 13 major versions.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

"unorm": "1.6.0",
"zxcvbn": "4.4.2"
},
Expand Down
Loading