Problem
yarn audit against the current package.json reports:
| Severity |
Count |
| critical |
104 |
| high |
267 |
| moderate |
317 |
| low |
147 |
(Total deps: 2,228.)
No direct imports of risky modules (verified by grep — no direct crypto-js, elliptic, secp256k1, tiny-secp256k1, pbkdf2, sha.js, cipher-base, jsonwebtoken). Every critical advisory comes through transitively.
Top transitive sources by impact:
| Dep |
Pulls in CVEs via |
@cosmjs/* 0.29.3 |
axios, protobufjs, tiny-secp256k1, secp256k1, ws |
wagmi 0.11.5 |
older ethers chain, node-forge, elliptic |
@cosmos-kit/* ≤0.14 |
serialize-javascript, walletconnect chain |
@osmonauts/telescope 0.75 |
glob/minimatch/rimraf ReDoS |
eslint-config-next 12.2.5 |
tsconfig-paths → json5 proto-pollution |
Proposed fix
Two upgrade waves:
Wave 1 — patch level (safe):
next 12.3.7 → 12.3.x latest (ongoing) ✅ already shipped in 148a57feslint 8.27 → 8.57 (newest 8.x)- Anything else with a same-major patch that clears advisories
Wave 2 — major (breaking, separate PR each):
@cosmjs/* 0.29 → 0.32 (newer signing API, message types, signer interfaces)@cosmos-kit/* ≤0.14 → 2.x (provider hierarchy changed)wagmi 0.11 → 2.x (root provider rewritten, ethers → viem cutover)framer-motion 7.6 → 11.x (minor breaking)chakra-ui 2.3 → 2.10 (minor)
Wave 2 is a multi-day project per major dep — should be tracked as separate sub-issues.
Why now
- Most of the criticals are not exploitable from within wallet flows (e.g. ReDoS in
minimatch only matters if untrusted globs are evaluated, which we don't do).
- A few are genuinely concerning for a crypto wallet:
protobufjs prototype-pollution, axios SSRF/proto, serialize-javascript RCE-via-RegExp.
- Compliance/audit ergonomics: any external security review will flag the report regardless of exploitability.
Acceptance
Background: surfaced during the self-audit pass behind #198.
Problem
yarn auditagainst the currentpackage.jsonreports:(Total deps: 2,228.)
No direct imports of risky modules (verified by grep — no direct
crypto-js,elliptic,secp256k1,tiny-secp256k1,pbkdf2,sha.js,cipher-base,jsonwebtoken). Every critical advisory comes through transitively.Top transitive sources by impact:
@cosmjs/*0.29.3axios,protobufjs,tiny-secp256k1,secp256k1,wswagmi0.11.5etherschain,node-forge,elliptic@cosmos-kit/*≤0.14serialize-javascript,walletconnectchain@osmonauts/telescope0.75glob/minimatch/rimrafReDoSeslint-config-next12.2.5tsconfig-paths→json5proto-pollutionProposed fix
Two upgrade waves:
Wave 1 — patch level (safe):
next 12.3.7→12.3.x latest(ongoing) ✅ already shipped in 148a57feslint 8.27→8.57(newest 8.x)Wave 2 — major (breaking, separate PR each):
@cosmjs/* 0.29 → 0.32(newer signing API, message types, signer interfaces)@cosmos-kit/* ≤0.14 → 2.x(provider hierarchy changed)wagmi 0.11 → 2.x(root provider rewritten, ethers → viem cutover)framer-motion 7.6 → 11.x(minor breaking)chakra-ui 2.3 → 2.10(minor)Wave 2 is a multi-day project per major dep — should be tracked as separate sub-issues.
Why now
minimatchonly matters if untrusted globs are evaluated, which we don't do).protobufjsprototype-pollution,axiosSSRF/proto,serialize-javascriptRCE-via-RegExp.Acceptance
criticalcount drops <5 (residual = unfixable transitive)Background: surfaced during the self-audit pass behind #198.