From 20c054d6b9a975c7e72e8e9345b4bb7ee9cd7604 Mon Sep 17 00:00:00 2001
From: Ryan Whitworth <rwhitworth@a16z.com>
Date: Fri, 27 Mar 2026 15:39:39 -0400
Subject: [PATCH] fix: bump pbkdf2 to >=3.1.3 (CVE-2025-6547, CVE-2025-6545)

Add npm overrides to force pbkdf2 >=3.1.3 across all transitive
dependencies, remediating CVE-2025-6547 and CVE-2025-6545 (CVSS 9.1).
---
 package.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package.json b/package.json
index 077d24e..bbe6367 100644
--- a/package.json
+++ b/package.json
@@ -39,5 +39,8 @@
   "homepage": "https://github.com/a16z/a16z-contracts#readme",
   "dependencies": {
     "@openzeppelin/contracts": "^4.7.3"
+  },
+  "overrides": {
+    "pbkdf2": ">=3.1.3"
   }
 }