Skip to content

ci: add npm audit check to CI and fix all vulnerabilities#313

Open
DammyAji wants to merge 2 commits into
dark-princezz:mainfrom
DammyAji:feature/issue--172
Open

ci: add npm audit check to CI and fix all vulnerabilities#313
DammyAji wants to merge 2 commits into
dark-princezz:mainfrom
DammyAji:feature/issue--172

Conversation

@DammyAji

Copy link
Copy Markdown

Summary

Closes #172

Adds npm audit --audit-level=high to CI (already present in ci.yml) and fixes all issues that were causing the CI pipeline to fail.

Changes

Vulnerability fix

  • Bumped vitest from ^1.6.0 to ^3.2.6 to resolve critical CVE (GHSA-5xrq-8626-4rwp), high form-data vuln, and the esbuild chain. Only 1 low-severity vuln remains (below the --audit-level=high threshold).

SDK API fixes (stellar-sdk v13)

  • SorobanRpcrpc namespace rename in useLedgerEntry, useSorobanContract, useTransaction
  • StellarTomlResolverStellarToml.Resolver.resolve in useStellarToml

Freighter API fixes (freighter-api v2)

  • Replaced getAddress (v3 API) with getPublicKey + getNetworkDetails
  • isConnected() now returns boolean directly (not an object)
  • signTransaction, signAuthEntry, signBlob return string directly (no .signedTxXdr wrapper)

Type fixes

  • ContractCallOptions.fee changed from number to string to match TransactionBuilder
  • utils/index.ts parseAccountResponse fixed for exactOptionalPropertyTypes and liquidity pool balance fields

Test/lint fixes

  • Fixed broken import paths in utils.test.ts (../src/utils../utils)
  • Removed unused imports and fixed no-explicit-any errors across hooks and tests
  • Fixed possibly-undefined access in useContractEvents.test.ts

CI results (verified locally)

npm ci                       ✅
npm audit --audit-level=high ✅
npm run typecheck            ✅
npm run lint                 ✅
npm test                     ✅  5 files, 34 tests passed

DammyAji added 2 commits June 25, 2026 03:00
- Bump vitest from ^1.6.0 to ^3.2.6 to resolve critical CVE (GHSA-5xrq-8626-4rwp) and high severity vulnerabilities
- Fix SorobanRpc → rpc namespace rename for @stellar/stellar-sdk v13 (useLedgerEntry, useSorobanContract, useTransaction)
- Fix StellarTomlResolver → StellarToml.Resolver.resolve for SDK v13 (useStellarToml)
- Fix useFreighter to use freighter-api v2 API (getPublicKey, getNetworkDetails instead of getAddress)
- Fix fee type in ContractCallOptions (number → string)
- Fix utils/index.ts parseAccountResponse for exactOptionalPropertyTypes and liquidity pool balances
- Fix broken import paths in utils.test.ts (../src/utils → ../utils)
- Fix unused imports and no-explicit-any lint errors across hooks and tests
- Fix useContractEvents.test.ts possibly undefined access

Closes dark-princezz#172
@DammyAji DammyAji force-pushed the feature/issue--172 branch from 19a3830 to 7833c0e Compare June 25, 2026 03:24
@drips-wave

drips-wave Bot commented Jun 25, 2026

Copy link
Copy Markdown

@DammyAji Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@gloriaelishahabu

Copy link
Copy Markdown
Contributor

@DammyAji resolve issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: add npm audit check to CI to catch new vulnerabilities

2 participants