Skip to content

Comments

chore: address audit findings#8194

Merged
andrew-scott-fischer merged 1 commit intomasterfrom
WP-7983-bump-deps
Feb 23, 2026
Merged

chore: address audit findings#8194
andrew-scott-fischer merged 1 commit intomasterfrom
WP-7983-bump-deps

Conversation

@louib
Copy link
Contributor

@louib louib commented Feb 23, 2026
edited
Loading

This is the full audit finding:

Vulnerability Found:

  Severity: HIGH
  Modules: lerna>@npmcli/run-script>node-gyp>tar, lerna>@lerna/create>@npmcli/run-script>node-gyp>tar, lerna>@npmcli/run-script>node-gyp>make-fetch-happen>cacache>tar, lerna>@lerna/create>@npmcli/run-script>node-gyp>make-fetch-happen>cacache>tar, lerna>@lerna/create>pacote>@npmcli/run-script>node-gyp>make-fetch-happen>cacache>tar, lerna>@npmcli/arborist>@npmcli/metavuln-calculator>pacote>@npmcli/run-script>node-gyp>make-fetch-happen>cacache>tar, lerna>@lerna/create>@npmcli/arborist>@npmcli/metavuln-calculator>pacote>@npmcli/run-script>node-gyp>make-fetch-happen>cacache>tar, lerna>@npmcli/arborist>@npmcli/metavuln-calculator>pacote>tar, lerna>@lerna/create>@npmcli/arborist>@npmcli/metavuln-calculator>pacote>tar, lerna>@npmcli/arborist>cacache>tar, lerna>@lerna/create>@npmcli/arborist>cacache>tar, lerna>@npmcli/arborist>npm-registry-fetch>make-fetch-happen>cacache>tar, lerna>@lerna/create>@npmcli/arborist>npm-registry-fetch>make-fetch-happen>cacache>tar, lerna>libnpmpublish>npm-registry-fetch>make-fetch-happen>cacache>tar, lerna>@lerna/create>libnpmpublish>npm-registry-fetch>make-fetch-happen>cacache>tar, lerna>@lerna/create>libnpmpublish>sigstore>@sigstore/sign>make-fetch-happen>cacache>tar, lerna>@lerna/create>libnpmpublish>sigstore>@sigstore/tuf>tuf-js>make-fetch-happen>cacache>tar, lerna>pacote>tar, lerna>@lerna/create>pacote>tar, lerna>tar, lerna>@lerna/create>tar, yeoman-generator>pacote>cacache>tar, yeoman-generator>pacote>@npmcli/run-script>node-gyp>tar, yeoman-generator>pacote>npm-registry-fetch>make-fetch-happen>cacache>tar, yeoman-generator>pacote>@npmcli/run-script>node-gyp>make-fetch-happen>cacache>tar, yeoman-generator>pacote>sigstore>@sigstore/tuf>tuf-js>make-fetch-happen>cacache>tar, lerna>libnpmaccess>npm-registry-fetch>make-fetch-happen>cacache>tar
  URL: https://github.com/advisories/GHSA-83g3-92jg-28cx

As for the jspdf update, we are requesting an exception since it addresses another high severity finding:

Vulnerability Found:

  Severity: HIGH
  Modules: @bitgo/key-card>jspdf, @bitgo/web-demo>@bitgo/key-card>jspdf
  URL: https://github.com/advisories/GHSA-67pg-wm7f-q7fj

TICKET: WP-7983

@louib louib force-pushed the WP-7983-bump-deps branch from 6600d4c to 9300619 Compare February 23, 2026 17:19
@louib louib closed this Feb 23, 2026
@louib louib reopened this Feb 23, 2026
@louib louib marked this pull request as ready for review February 23, 2026 17:57
@louib louib requested review from a team as code owners February 23, 2026 17:57
bhargavirao24
bhargavirao24 approved these changes Feb 23, 2026
View reviewed changes
Copy link

@bhargavirao24 bhargavirao24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The vulnerabilities in jspdf are generally triggered by user controlled input to addImage or addJS.
I reviewed and merging jspdf 4.2.0 should be fine, and the risk is low.

Please loop us in if any new PR is created by the code owners and they run into blockers.

@andrew-scott-fischer andrew-scott-fischer merged commit 6d4dd49 into master Feb 23, 2026
39 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew-scott-fischer andrew-scott-fischer andrew-scott-fischer approved these changes

@zahin-mohammad zahin-mohammad zahin-mohammad approved these changes

@mohd-kashif mohd-kashif mohd-kashif approved these changes

@mrdanish26 mrdanish26 mrdanish26 approved these changes

@pranavjain97 pranavjain97 Awaiting requested review from pranavjain97 pranavjain97 is a code owner automatically assigned from BitGo/wallet-core

@kaustubhbitgo kaustubhbitgo Awaiting requested review from kaustubhbitgo kaustubhbitgo is a code owner automatically assigned from BitGo/wallet-core-india

+1 more reviewer

@bhargavirao24 bhargavirao24 bhargavirao24 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@louib @andrew-scott-fischer @zahin-mohammad @mohd-kashif @bhargavirao24 @mrdanish26