[Snyk] Security upgrade @walletconnect/core from 2.17.4 to 2.18.0#455
[Snyk] Security upgrade @walletconnect/core from 2.17.4 to 2.18.0#455revan-zhang wants to merge 1 commit intomasterfrom
Conversation
…duce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-14908844
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "@unisat/wallet-utils": "^1.0.0", | ||
| "@uniswap/default-token-list": "^12.23.0", | ||
| "@walletconnect/core": "^2.13.0", | ||
| "@walletconnect/core": "^2.18.0", |
There was a problem hiding this comment.
WalletConnect package version mismatch causes incompatibility risk
Medium Severity
Only @walletconnect/core was upgraded to ^2.18.0 (resolving to 2.23.9), while @walletconnect/sign-client and @walletconnect/types remain at ^2.13.0 (resolving to 2.17.4). The application imports RELAYER_EVENTS from core@2.23.9 but sign-client@2.17.4 internally depends on core@2.17.4, creating a version mismatch. WalletConnect packages are designed to work in lockstep. Additionally, sign-client@2.17.4 still pulls in @walletconnect/utils@2.17.4 which depends on elliptic@6.6.1 — the very vulnerable package this PR aims to fix — so the security vulnerability remains in the dependency tree.
Additional Locations (1)
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/example/package.jsonpackages/example/yarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-ELLIPTIC-14908844
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Dependency-only change, but it upgrades
@walletconnect/coreto a newer release line (lockfile now resolves2.23.9) and pulls in updated WalletConnect/crypto/logging transitive deps, which could affect WalletConnect session/relay behavior at runtime.Overview
Upgrades the example app’s WalletConnect dependency by bumping
@walletconnect/corefrom^2.13.0to^2.18.0inpackages/example/package.json.Regenerates
packages/example/yarn.lock, which updates the resolved WalletConnect stack (notably@walletconnect/core/types/utils/logger) and related crypto/logging transitive packages, addressing the reported vulnerability.Written by Cursor Bugbot for commit 97f6031. This will update automatically on new commits. Configure here.