Skip to content

chore: fix Dependabot security alerts #666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Fletch153 merged 1 commit into from
Feb 9, 2026
Merged

chore: fix Dependabot security alerts #666

Fletch153 merged 1 commit into from
Feb 9, 2026

Conversation

@Fletch153
Copy link
Contributor

@Fletch153 Fletch153 commented Feb 8, 2026

Dependabot Security Alerts - Fix Status

Repository: smartcontractkit/chainlink-starknet
Branch: dependabot-update-2026-02-08
Date: 2026-02-08

Summary

Status Count
Fixed 38
No Patch Available 2
Needs Approval 3
Blocked 3
Total 46

Alerts

# Dependency Ecosystem Manifest Severity CVSS Patched Version Resolved Version Status Notes
368 tar npm yarn.lock high 8.2 7.5.7 7.5.7 Fixed Lockfile refresh
367 github.com/cometbft/cometbft go integration-tests/go.mod high 0 0.38.21 0.38.21 Fixed go get
366 lodash npm yarn.lock medium 6.5 4.17.23 4.17.23 Fixed Lockfile refresh
365 tar npm yarn.lock high 8.8 7.5.4 7.5.7 Fixed Lockfile refresh
364 diff npm yarn.lock low 0 5.2.2 5.2.2 Fixed Lockfile refresh
362 tar npm yarn.lock high 0 7.5.3 7.5.7 Fixed Lockfile refresh
360 undici npm yarn.lock medium 5.9 6.23.0 5.29.0 Blocked Needs undici 6.x (major); pinned to ^5 by starknet dep
359 github.com/ethereum/go-ethereum go integration-tests/go.mod high 0 1.16.8 1.16.8 Fixed go get
358 github.com/ethereum/go-ethereum go integration-tests/go.mod high 0 1.16.8 1.16.8 Fixed go get
357 github.com/ethereum/go-ethereum go monitoring/go.mod high 0 1.16.8 1.16.8 Fixed go get
356 github.com/ethereum/go-ethereum go relayer/go.mod high 0 1.16.8 1.16.8 Fixed go get
355 github.com/ethereum/go-ethereum go monitoring/go.mod high 0 1.16.8 1.16.8 Fixed go get
354 github.com/ethereum/go-ethereum go relayer/go.mod high 0 1.16.8 1.16.8 Fixed go get
353 elliptic npm yarn.lock low 5.6 N/A 6.6.1 No Patch Available Pinned via resolutions; no fix released
352 github.com/expr-lang/expr go integration-tests/go.mod high 7.5 1.17.7 1.17.7 Fixed go get
345 glob npm yarn.lock high 7.5 10.5.0 10.5.0 Fixed Lockfile refresh
342 js-yaml npm yarn.lock medium 5.3 3.14.2 3.14.2 Fixed Lockfile refresh
341 js-yaml npm yarn.lock medium 5.3 4.1.1 4.1.1 Fixed Lockfile refresh
339 github.com/consensys/gnark-crypto go relayer/go.mod high 7.5 0.18.1 0.19.2 Fixed go get
338 github.com/consensys/gnark-crypto go monitoring/go.mod high 7.5 0.18.1 0.19.2 Fixed go get
336 github.com/cometbft/cometbft go integration-tests/go.mod high 0 0.38.19 0.38.21 Fixed go get
333 tar-fs npm yarn.lock high 0 2.1.4 2.1.4 Fixed Lockfile refresh
331 axios npm contracts/package.json high 0 0.30.0 1.13.5 Fixed Direct bump ^0.24.0 -> ^1.7.9
330 axios npm contracts/package.json medium 6.5 0.28.0 1.13.5 Fixed Direct bump ^0.24.0 -> ^1.7.9
316 tmp npm yarn.lock low 2.5 0.2.4 0.0.33 Blocked Pinned by solc@0.8.26 (tmp@0.0.33 exact)
314 golang.org/x/oauth2 go ops/go.mod high 7.5 0.27.0 0.35.0 Fixed go get
298 tar-fs npm yarn.lock high 0 2.1.3 2.1.4 Fixed Lockfile refresh
296 github.com/getkin/kin-openapi go integration-tests/go.mod high 7.5 0.131.0 0.133.0 Fixed go get
295 github.com/getkin/kin-openapi go ops/go.mod high 7.5 0.131.0 0.133.0 Fixed go get
293 undici npm yarn.lock low 3.1 5.29.0 5.29.0 Fixed Lockfile refresh
290 axios npm yarn.lock high 0 0.30.0 0.24.0 Needs Approval Transitive via @chainlink/gauntlet-core@0.3.1; needs major bump to 1.x
281 tar-fs npm yarn.lock high 0 2.1.2 2.1.4 Fixed Lockfile refresh
260 serialize-javascript npm yarn.lock medium 5.4 6.0.2 6.0.2 Fixed Lockfile refresh
244 undici npm yarn.lock medium 6.8 5.28.5 5.29.0 Fixed Lockfile refresh
234 nanoid npm yarn.lock medium 4.3 3.3.8 removed Fixed Dependency removed during lockfile refresh
215 cookie npm yarn.lock low 0 0.7.0 0.4.2 Blocked Pinned by @sentry/node@5.30.0 via hardhat; cookie ^0.4.1 can't reach 0.7.0
190 ws npm yarn.lock high 7.5 7.5.10 7.5.10 Fixed Lockfile refresh
188 braces npm yarn.lock high 7.5 3.0.3 3.0.3 Fixed Lockfile refresh
170 undici npm yarn.lock low 3.9 5.28.4 5.29.0 Fixed Lockfile refresh
169 undici npm yarn.lock low 2.6 5.28.4 5.29.0 Fixed Lockfile refresh
164 follow-redirects npm yarn.lock medium 6.5 1.15.6 1.15.11 Fixed Lockfile refresh
152 @openzeppelin/contracts npm yarn.lock medium 6.5 4.9.6 4.9.6 Fixed Lockfile refresh
149 axios npm yarn.lock medium 6.5 0.28.0 0.24.0 Needs Approval Transitive via @chainlink/gauntlet-core@0.3.1; needs major bump to 1.x
144 undici npm yarn.lock low 3.9 5.28.3 5.29.0 Fixed Lockfile refresh
143 pkg npm yarn.lock medium 6.6 N/A 5.8.1 No Patch Available No patched version exists; package is deprecated
140 follow-redirects npm yarn.lock medium 6.1 1.15.4 1.15.11 Fixed Lockfile refresh

Ecosystems

  • npm (yarn workspaces, Yarn 4.5.3): root package.json, contracts/package.json, packages-ts/*, yarn.lock
  • Go (go 1.25.3 / go 1.24.2): relayer/go.mod, monitoring/go.mod, integration-tests/go.mod, ops/go.mod

Fix Log

Tier 1: Lockfile Refresh

  • npm: Deleted yarn.lock and ran yarn install. Resolved 24 npm alerts.
  • Go: Ran go get <pkg>@latest && go mod tidy for each vulnerable package across all 4 Go modules. Resolved 14 Go alerts.

Tier 3: Direct Dependency Bumps

Tier 4: Small Code Changes

  • @ledgerhq/hw-app-starknet: Fixed LedgerError.NoErrors -> LedgerError.NoError in packages-ts/starknet-gauntlet-ledger/src/index.ts (enum rename in updated dependency).

CI Runtime

  • Dockerfile: Updated monitoring/ops/Dockerfile Go image from golang:1.23.5 to golang:1.25.3 to match go.mod.
  • Note: .tool-versions has golang 1.23.3 which mismatches go.mod go 1.25.3 -- this pre-exists on develop.

Blocked / Needs Approval

Verification

  • All TypeScript packages build successfully (yarn build)
  • All Go modules build successfully (go build ./...)
  • Relayer tests pass (go test ./... -short)
  • Monitoring tests pass (go test ./... -short)

@Fletch153 Fletch153 requested review from a team as code owners February 8, 2026 13:42
@github-actions
Copy link

github-actions bot commented Feb 8, 2026

👋 Fletch153, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@Fletch153 Fletch153 force-pushed the dependabot-update-2026-02-08 branch from 75c972c to a01a960 Compare February 9, 2026 10:37
@Fletch153 Fletch153 deployed to integration February 9, 2026 10:54 — with GitHub Actions Active
@cl-sonarqube-production
Copy link

cl-sonarqube-production bot commented Feb 9, 2026

Quality Gate failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 75%)
C Maintainability Rating on New Code (required ≥ A)
11.11% Technical Debt Ratio on New Code (required ≤ 4%)

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube IDE SonarQube IDE

@Fletch153 Fletch153 merged commit 6454dc4 into develop Feb 9, 2026
29 of 31 checks passed
@Fletch153 Fletch153 deleted the dependabot-update-2026-02-08 branch February 9, 2026 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cawthorne cawthorne cawthorne approved these changes

@alecgard alecgard alecgard approved these changes

@ecPablo ecPablo Awaiting requested review from ecPablo

@patricios-space patricios-space Awaiting requested review from patricios-space

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Fletch153 @cawthorne @alecgard