Skip to content

Feature/fully native#60

Open
ericHgorski wants to merge 2 commits into
stationmoney:betafrom
francisco-terra:feature/fully-native
Open

Feature/fully native#60
ericHgorski wants to merge 2 commits into
stationmoney:betafrom
francisco-terra:feature/fully-native

Conversation

@ericHgorski

Copy link
Copy Markdown

No description provided.

0xApotheosis referenced this pull request in StationWallet/station-mobile Apr 17, 2026
Adds npm overrides to pull vulnerable transitive deps to patched versions:
- protobufjs ^7.5.5 (was 6.11.4) β€” fixes GHSA-xq3m-2v4x-88gg (#68)
- axios ^0.31.0 (was 0.27.2) β€” fixes GHSA-3p68-rc4w-qgx5 (#67),
  GHSA-fvcv-3m26-pcqx (#66), GHSA-jr5f-v2jv-69x6 (#59),
  GHSA-wf5p-g6vw-rhxx (#57), GHSA-43fc-jf86-j433 (#34)
- follow-redirects ^1.16.0 β€” fixes GHSA-r4q5-vmmm-2653 (#65)
- @xmldom/xmldom ^0.8.12 (was 0.8.11) β€” fixes GHSA-wh4c-j3r5-mjhp (#51)
- bn.js ^4.12.3 (was 4.11.8 via terra.js) β€” fixes GHSA-378v-28hj-76wf (#40)

Removes @walletconnect/client: unused in src (only image assets and
walletconnectID config field remain; no runtime imports). This also
eliminates its nested ws@7.5.3 (vulnerable) and bn.js@4.11.8.

Not addressed (see PR description for rationale):
- crypto-js #56, lodash #60/#61: CVEs don't affect our code paths
- d3-color #55: can't override β€” d3-interpolate v1 pins d3-color v1
- elliptic #25: no patch available upstream

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0xApotheosis referenced this pull request in StationWallet/station-mobile Apr 17, 2026
Adds npm overrides to pull vulnerable transitive deps to patched versions:
- protobufjs ^7.5.5 (was 6.11.4) β€” fixes GHSA-xq3m-2v4x-88gg (#68)
- axios ^0.31.0 (was 0.27.2) β€” fixes GHSA-3p68-rc4w-qgx5 (#67),
  GHSA-fvcv-3m26-pcqx (#66), GHSA-jr5f-v2jv-69x6 (#59),
  GHSA-wf5p-g6vw-rhxx (#57), GHSA-43fc-jf86-j433 (#34)
- follow-redirects ^1.16.0 β€” fixes GHSA-r4q5-vmmm-2653 (#65)
- @xmldom/xmldom ^0.8.12 (was 0.8.11) β€” fixes GHSA-wh4c-j3r5-mjhp (#51)
- bn.js ^4.12.3 (was 4.11.8 via terra.js) β€” fixes GHSA-378v-28hj-76wf (#40)

Removes @walletconnect/client: unused in src (only image assets and
walletconnectID config field remain; no runtime imports). This also
eliminates its nested ws@7.5.3 (vulnerable) and bn.js@4.11.8.

Not addressed (see PR description for rationale):
- crypto-js #56, lodash #60/#61: CVEs don't affect our code paths
- d3-color #55: can't override β€” d3-interpolate v1 pins d3-color v1
- elliptic #25: no patch available upstream

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants