Last audited: 2026-01-25

48 vulnerabilities (30 low, 8 moderate, 10 high)

The following vulnerabilities exist in transitive dependencies (dependencies of our dependencies) and are accepted as risk due to the following factors:

1. Bags SDK vulnerabilities: The @bagsfm/bags-sdk uses axios internally for API calls. User input is validated before being passed to SDK methods. The SDK is maintained by Bags.fm.

2. Solana ecosystem vulnerabilities: The @solana/web3.js and related packages have deep dependency trees including cryptographic libraries. These are standard in the Solana ecosystem and are used by all Solana applications.

3. Dev-only vulnerabilities: mocha, ts-mocha, and related test dependencies are not included in production builds.

4. Prototype pollution (lodash): Requires _.merge() or _.set() with untrusted input. Our codebase does not use these functions with user-controlled data.

1. Input Validation: All user input is validated before processing
2. Rate Limiting: API endpoints have rate limiting to prevent abuse
3. Security Headers: CSP, HSTS, X-Frame-Options configured in netlify.toml
4. Parameterized Queries: Database queries use parameterized statements

These vulnerabilities will be resolved when:

• @bagsfm/bags-sdk releases an update with fixed axios
• @solana/* ecosystem packages release updates
• Next major version update (requires testing for breaking changes)

Run npm audit periodically to check for new vulnerabilities.

API endpoints implement rate limiting via src/lib/rate-limit.ts:

Configured in netlify.toml:

• X-Frame-Options: DENY - Prevent clickjacking
• X-Content-Type-Options: nosniff - Prevent MIME sniffing
• X-XSS-Protection: 1; mode=block - XSS protection
• Strict-Transport-Security - HTTPS enforcement
• Content-Security-Policy - Restrict resource loading

Report security vulnerabilities via GitHub Issues (private) or contact the maintainers directly.