From 8594f871bea551aa9b3dc5687ffe88dfec805592 Mon Sep 17 00:00:00 2001 From: DanielDerefaka Date: Mon, 22 Dec 2025 18:12:37 +0100 Subject: [PATCH 1/2] fix: bump valibot to ^1.2.0 to address ReDoS vulnerability Bumps valibot from ^0.38.0 to ^1.2.0 to fix a HIGH severity ReDoS vulnerability in EMOJI_REGEX (GHSA-vqpr-j7v3-hqw9). All tests pass with the new version. Fixes #2303 --- package-lock.json | 13 +++++++++---- package.json | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index e8eda4bdc..61f963247 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,7 @@ "bip174": "^3.0.0", "bs58check": "^4.0.0", "uint8array-tools": "^0.0.9", - "valibot": "^0.38.0", + "valibot": "^1.2.0", "varuint-bitcoin": "^2.0.0" }, "devDependencies": { @@ -938,6 +938,7 @@ "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.4.0.tgz", "integrity": "sha512-NHgWmKSgJk5K9N16GIhQ4jSobBoJwrmURaLErad0qlLjrpP5bECYg+wxVTGlGZmJbU03jj/dfnb6V9bw+5icsA==", "dev": true, + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.4.0", "@typescript-eslint/types": "8.4.0", @@ -1111,6 +1112,7 @@ "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz", "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==", "dev": true, + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -3064,6 +3066,7 @@ "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.3.3.tgz", "integrity": "sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==", "dev": true, + "peer": true, "bin": { "prettier": "bin/prettier.cjs" }, @@ -3815,6 +3818,7 @@ "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.5.4.tgz", "integrity": "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==", "devOptional": true, + "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" @@ -3873,9 +3877,10 @@ } }, "node_modules/valibot": { - "version": "0.38.0", - "resolved": "https://registry.npmjs.org/valibot/-/valibot-0.38.0.tgz", - "integrity": "sha512-RCJa0fetnzp+h+KN9BdgYOgtsMAG9bfoJ9JSjIhFHobKWVWyzM3jjaeNTdpFK9tQtf3q1sguXeERJ/LcmdFE7w==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/valibot/-/valibot-1.2.0.tgz", + "integrity": "sha512-mm1rxUsmOxzrwnX5arGS+U4T25RdvpPjPN4yR0u9pUBov9+zGVtO84tif1eY4r6zWxVxu3KzIyknJy3rxfRZZg==", + "license": "MIT", "peerDependencies": { "typescript": ">=5" }, diff --git a/package.json b/package.json index a2149f76c..a4d1ede0c 100644 --- a/package.json +++ b/package.json @@ -68,7 +68,7 @@ "bip174": "^3.0.0", "bs58check": "^4.0.0", "uint8array-tools": "^0.0.9", - "valibot": "^0.38.0", + "valibot": "^1.2.0", "varuint-bitcoin": "^2.0.0" }, "devDependencies": { From 1a1e39ee7d1b11139ff473b4ae458918e990ca4c Mon Sep 17 00:00:00 2001 From: DanielDerefaka Date: Wed, 31 Dec 2025 10:22:22 +0100 Subject: [PATCH 2/2] fix: remove unintended peer:true additions from package-lock.json Clean up package-lock.json to only contain the valibot version bump without the spurious peer:true markers that npm automatically adds. --- package-lock.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 61f963247..1c709c137 100644 --- a/package-lock.json +++ b/package-lock.json @@ -938,7 +938,6 @@ "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.4.0.tgz", "integrity": "sha512-NHgWmKSgJk5K9N16GIhQ4jSobBoJwrmURaLErad0qlLjrpP5bECYg+wxVTGlGZmJbU03jj/dfnb6V9bw+5icsA==", "dev": true, - "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.4.0", "@typescript-eslint/types": "8.4.0", @@ -1112,7 +1111,6 @@ "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz", "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==", "dev": true, - "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -3066,7 +3064,6 @@ "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.3.3.tgz", "integrity": "sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==", "dev": true, - "peer": true, "bin": { "prettier": "bin/prettier.cjs" }, @@ -3818,7 +3815,6 @@ "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.5.4.tgz", "integrity": "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==", "devOptional": true, - "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" @@ -3880,7 +3876,6 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/valibot/-/valibot-1.2.0.tgz", "integrity": "sha512-mm1rxUsmOxzrwnX5arGS+U4T25RdvpPjPN4yR0u9pUBov9+zGVtO84tif1eY4r6zWxVxu3KzIyknJy3rxfRZZg==", - "license": "MIT", "peerDependencies": { "typescript": ">=5" },