Skip to content

fix(deps): resolve 30 Dependabot security alerts#373

Open
Fletch153 wants to merge 3 commits intodevelopfrom
fix/dependabot-updates-2026-02-24
Open

fix(deps): resolve 30 Dependabot security alerts#373
Fletch153 wants to merge 3 commits intodevelopfrom
fix/dependabot-updates-2026-02-24

Conversation

@Fletch153
Copy link
Contributor

@Fletch153 Fletch153 commented Feb 24, 2026

Summary

  • Resolves 30 of 40 open Dependabot security alerts (75%)
  • Bumps go-ethereum v1.16.9 → v1.17.0 across all 4 Go modules (CVE-2026-26313)
  • Bumps @openzeppelin/contracts aliases 4.7.3/4.8.3 → 4.9.6 (CVE-2023-30542, CVE-2024-27094, etc.)
  • Regenerates all pnpm lockfiles to resolve transitive vulns (ajv, lodash, undici, js-yaml)
  • Adds tmp pnpm override to contracts/cre/package.json

How these changes were made

  1. Deleted and regenerated all 3 pnpm lockfiles (contracts/, contracts/cre/, root) to resolve transitive npm vulnerabilities (ajv, lodash, undici, js-yaml).
  2. Bumped github.com/ethereum/go-ethereum from v1.16.9 to v1.17.0 across all 4 Go modules, ran go mod tidy and verified go build ./... in each.
  3. Bumped @openzeppelin/contracts aliased versions: 4.7.3→4.9.6 and 4.8.3→4.9.6 in contracts/package.json and contracts/cre/package.json. Verified Foundry compilation (forge build) passes with no new errors.
  4. Added "tmp": "^0.2.4" pnpm override to contracts/cre/package.json to resolve tmp vulnerability via @arbitrum/nitro-contracts → patch-package → tmp.

All lockfile and go.sum changes are auto-generated.

Blocked alerts (10 remaining)

Alert Severity Dependency Reason
#129, #128 HIGH minimatch Pinned at 3.1.3 by parent deps (glob, eslint, patch-package). Dev-only.
#109, #108 LOW elliptic No patched version exists (<=6.6.1 vulnerable, latest is 6.6.1).
#107, #106, #88-#85 HIGH/MED @openzeppelin/contracts From published @chainlink/contracts@1.5.0 on npm. Will auto-resolve on next publish.

Test plan

  • go build ./... passes on all 4 Go modules
  • forge build passes for contracts/ (pre-existing warnings only, same as develop)
  • forge build passes for contracts/cre/ (Compiler run successful)
  • Verified resolved versions with pnpm why for all fixed transitive deps
  • CI pipeline passes

🤖 Generated with Claude Code

@Fletch153 @claude
fix(deps): resolve 30 Dependabot security alerts
2d206dc 
Bump go-ethereum v1.16.9→v1.17.0 (CVE-2026-26313) across all Go modules.
Bump @openzeppelin/contracts aliases 4.7.3/4.8.3→4.9.6 to address multiple
CVEs (CVE-2023-30542, CVE-2024-27094, etc). Add tmp override to CRE package.
Regenerate all pnpm lockfiles to resolve transitive vulnerabilities in ajv,
lodash, undici, js-yaml.

10 alerts remain blocked: minimatch (pinned by parent deps), elliptic (no
patch), and OZ in CRE lockfile (from published @chainlink/contracts@1.5.0).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Fletch153 Fletch153 requested review from a team as code owners February 24, 2026 18:58
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

👋 Fletch153, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

✅ API Diff Results - No breaking changes

📄 View full apidiff report

Fletch153 and others added 2 commits February 24, 2026 19:08
@Fletch153 @claude
fix(deps): regenerate gas snapshots and add eslint-config-prettier
4ff18e9 
Update gas snapshots for functions, l2ep, and llo-feeds after OZ alias
bump changed contract bytecode. Add eslint-config-prettier as devDep
required by eslint-plugin-prettier@5.5.5.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Fletch153 @claude
fix(deps): regenerate Go solidity wrappers and fix minimatch vulnerab…
d6a430c 
…ility

Regenerated all Go solidity wrappers after bumping go-ethereum from
v1.16.9 to v1.17.0. Updated abigen to v1.17.0 and re-ran wrapper
generation for all products including CRE gobindings.

Added pnpm override for minimatch@<9 to force >=9.0.5, eliminating
vulnerable minimatch@3.x from both contracts and CRE lockfiles
(GHSA-3ppc-4f35-3m26).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Fletch153 Fletch153 requested review from a team as code owners February 24, 2026 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmank88 jmank88 jmank88 approved these changes

@Oozyx Oozyx Awaiting requested review from Oozyx

@DylanTinianov DylanTinianov Awaiting requested review from DylanTinianov

@ilija42 ilija42 Awaiting requested review from ilija42

@0xjeremyfrank 0xjeremyfrank Awaiting requested review from 0xjeremyfrank

@lawrencexia lawrencexia Awaiting requested review from lawrencexia

@akuzni2 akuzni2 Awaiting requested review from akuzni2

@cl-efornaciari cl-efornaciari Awaiting requested review from cl-efornaciari

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fletch153 @jmank88