Update pbkdf2 to >= 3.1.3 #167
Description
Bug Description
See: https://github.com/wamp-proto/wamp-xbr/actions/runs/20275591925/job/58223239617
The failure is caused by a security vulnerability in pbkdf2 where the lowest-non-vulnerable-version is 3.1.3, but dependencies are constraining it to the vulnerable version 3.1.1. Dependencies requiring pbkdf2@^3.1.5 via transitive dependencies on [email protected] are responsible.
Solution
Resolve the dependency chain conflict and ensure pbkdf2 gets upgraded to >=3.1.3 (non-vulnerable version).
Steps to Resolution
-
Identify Root Dependencies Requiring
pbkdf2@^3.1.5:
The following direct dependencies cause conflicts: -
Manually Upgrade Dependencies:
Upgrade your direct dependencies to versions that supportpbkdf2@>=3.1.3. The latest version availability can be checked using:npm info solidity-coverage@* # or any other package
For example, update
solidity-coverage:npm install solidity-coverage@latest
-
Override the Transitive Dependency:
Use npm'soverridesfield or yarn resolutions inpackage.jsonto explicitly use apbkdf2version>=3.1.3.Add this configuration to your
package.jsonunderoverrides:"overrides": { "pbkdf2": "3.1.3" }
If using yarn, add this under
resolutions:"resolutions": { "pbkdf2": "3.1.3" }
-
Validate the Resolution:
Run the following commands to verify:npm ls pbkdf2 # To check installed version yarn list pbkdf2 # If using yarn
-
Test and Commit:
Check your project for functionality after the update. Once validated, commit the changes:git add package.json package-lock.json git commit -m "Fix dependency conflict and update pbkdf2 to secured version" -
Retry Dependabot Update:
Dependabot will now process the update successfully as the dependency conflict is resolved.
Checklist
- I have searched existing issues to avoid duplicates
- I have provided a minimal reproducible example
- I have included version information
- I have included error messages/logs