[Snyk] Fix for 3 vulnerabilities #2299
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15038581 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-14908844 - https://snyk.io/vuln/SNYK-JS-H3-15010914
There was a problem hiding this comment.
Pull request overview
This PR updates four dependencies to address three security vulnerabilities identified by Snyk: an improper handling of Unicode encoding issue in tar, a cryptographic primitive vulnerability in elliptic, and an HTTP request smuggling vulnerability in h3.
Changes:
- Updates @reown/walletkit from 1.1.2 to 1.2.11
- Updates @walletconnect/core and @walletconnect/utils from 2.17.3 to 2.19.2
- Updates realm from 11.10.1 to 20.0.0 (major breaking change)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@walletconnect/react-native-compat": "2.17.3", | ||
| "@walletconnect/sign-client": "2.17.3", |
There was a problem hiding this comment.
Version mismatch detected in WalletConnect dependencies. The core and utils packages are being updated to version 2.19.2, but react-native-compat and sign-client remain at 2.17.3. This version inconsistency across the WalletConnect ecosystem packages could lead to compatibility issues or unexpected behavior. Ensure all WalletConnect packages are compatible with each other, or consider updating react-native-compat and sign-client to matching versions.
| "@walletconnect/react-native-compat": "2.17.3", | |
| "@walletconnect/sign-client": "2.17.3", | |
| "@walletconnect/react-native-compat": "2.19.2", | |
| "@walletconnect/sign-client": "2.19.2", |
| "react-timer-mixin": "0.13.4", | ||
| "readable-stream": "4.4.2", | ||
| "realm": "11.10.1", | ||
| "realm": "20.0.0", |
There was a problem hiding this comment.
The realm package is being upgraded from version 11.10.1 to 20.0.0, which represents a major version jump across 9 major versions. This is a breaking change that will likely require schema migrations, API changes, and significant code updates throughout the application where realm is used. Without corresponding code changes visible in this PR to handle the breaking changes, this update will likely cause runtime errors or data corruption. This upgrade should be thoroughly tested and may require database migrations to be written.
| "realm": "20.0.0", | |
| "realm": "11.10.1", |
Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15038581
SNYK-JS-ELLIPTIC-14908844
SNYK-JS-H3-15010914
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.