Skip to content

fix(stellar): upgrade stellar-sdk v10 → @stellar/stellar-sdk v16#9231

Draft
prajwalu142 wants to merge 1 commit into
masterfrom
INFOSEC191/upgradeStellarSdk
Draft

fix(stellar): upgrade stellar-sdk v10 → @stellar/stellar-sdk v16#9231
prajwalu142 wants to merge 1 commit into
masterfrom
INFOSEC191/upgradeStellarSdk

Conversation

@prajwalu142

Copy link
Copy Markdown
Contributor

Problem

stellar-sdk v10 bundles toml@2.3.6 which parses [proto] tables by
writing directly to Object.prototype (prototype pollution). Chained with
the SSRF in the XLM federation lookup endpoint and a Jade RCE sink, an
unauthenticated attacker can achieve remote code execution inside
wallet-platform pods. INFOSEC-191.

Goal

Remove the prototype pollution sink at the root by upgrading to
@stellar/stellar-sdk v16, which replaces toml@2.3.6 with smol-toml — a
strict TOML 1.0 parser that never mutates Object.prototype.

Fix

  • Replaced stellar-sdk ^10.0.1 with @stellar/stellar-sdk ^16.0.0 in
    sdk-coin-xlm, sdk-coin-algo, sdk-coin-hbar, and bitgo packages.
  • Updated all import sites from stellar-sdk to @stellar/stellar-sdk.
  • Migrated stellar.Server → stellar.Horizon.Server (v11+ API split).
  • Migrated stellar.FederationServer → stellar.Federation.Server; return
    type updated to stellar.Federation.Api.Record.
  • Updated operation parameter types from the removed stellar.Operation
    instance type to stellar.OperationRecord (v16 discriminated union).
  • Used @stellar/stellar-sdk/axios subpath for federation requests to
    preserve nock HTTP interception in tests (v16 defaults to native fetch).
  • Removed conflicting bignumber.js v4 root resolution pins; added scoped
    pin for @stellar/stellar-sdk to prevent yarn hoisting v4 (lacks .clone).
  • Simplified txToString to use tx.toXDR() available directly on
    TransactionBase in v16, removing the old overload cast workaround.

Testing

Full unit test suites for sdk-coin-xlm (86 tests), sdk-coin-hbar (233),
and sdk-coin-algo all pass with zero failures, including the federation
lookup tests that exercise the axios subpath.

Ticket: INFOSEC-191
🤖 Generated with Claude Code

## Problem

stellar-sdk v10 bundles toml@2.3.6 which parses [__proto__] tables by
writing directly to Object.prototype (prototype pollution). Chained with
the SSRF in the XLM federation lookup endpoint and a Jade RCE sink, an
unauthenticated attacker can achieve remote code execution inside
wallet-platform pods. INFOSEC-191.

## Goal

Remove the prototype pollution sink at the root by upgrading to
@stellar/stellar-sdk v16, which replaces toml@2.3.6 with smol-toml — a
strict TOML 1.0 parser that never mutates Object.prototype.

## Fix

- Replaced stellar-sdk ^10.0.1 with @stellar/stellar-sdk ^16.0.0 in
  sdk-coin-xlm, sdk-coin-algo, sdk-coin-hbar, and bitgo packages.
- Updated all import sites from stellar-sdk to @stellar/stellar-sdk.
- Migrated stellar.Server → stellar.Horizon.Server (v11+ API split).
- Migrated stellar.FederationServer → stellar.Federation.Server; return
  type updated to stellar.Federation.Api.Record.
- Updated operation parameter types from the removed stellar.Operation
  instance type to stellar.OperationRecord (v16 discriminated union).
- Used @stellar/stellar-sdk/axios subpath for federation requests to
  preserve nock HTTP interception in tests (v16 defaults to native fetch).
- Removed conflicting bignumber.js v4 root resolution pins; added scoped
  pin for @stellar/stellar-sdk to prevent yarn hoisting v4 (lacks .clone).
- Simplified txToString to use tx.toXDR() available directly on
  TransactionBase in v16, removing the old overload cast workaround.

## Testing

Full unit test suites for sdk-coin-xlm (86 tests), sdk-coin-hbar (233),
and sdk-coin-algo all pass with zero failures, including the federation
lookup tests that exercise the axios subpath.

Ticket: INFOSEC-191
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant