[Snyk] Fix for 1 vulnerabilities

[Nguyendinhtuan17]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • lp_ui/package.json
  • lp_ui/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Improper Restriction of Operations within the Bounds of a Memory Buffer SNYK-JS-SOLANAWEB3JS-6647564	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @solana/wallet-adapter-wallets

The new version differs by 155 commits.

• abfd2af update yarn.lock
• b775b39 version bumps
• 1e6c22c solflare changes
• 3beda19 organize imports and format
• 5aeafc6 Merge pull request transfer hbtc from Solana to Eth( wormhole) , stuck in "In Process" wormhole-foundation/wormhole#287 from vsakos/master
• b9a2bc5 Merge branch 'master' into vsakos/master
• 0373f0d Merge pull request #293 from solana-labs/release-276
• 61e9486 update yarn.lock
• eaf5e40 internal patch version updates
• 5466d72 patch version bump
• 41c4931 Merge pull request Peers connection errors (guardian testnet v2) wormhole-foundation/wormhole#276 from steveluscher/polyfill-node-apis-for-webpack-5-second-try
• bb169d4 fix peer / dev dependencies
• df61ce4 Merge branch 'master' into polyfill-node-apis-for-webpack-5-second-try
• 22de63c update torus to fix build
• ba7ed5c reorder UI packages
• ed4dd08 Merge pull request How to get eth address from mintkey? wormhole-foundation/wormhole#285 from danmt/danmt/remove-angular
• e10f3fe link to solana-dapp-next
• be585cc fix readme tables
• 61916bb Merge branch 'master' into danmt/remove-angular
• 9a50e8a run prettier on vue files
• b896f34 Merge branch 'master' of https://github.com/solana-labs/wallet-adapter
• 0ab7770 Merge pull request Add histogram data to heartbeats wormhole-foundation/wormhole#290 from derivativedegen/master
• f8d0075 update yarn.lock
• 43b332f Merge branch 'master' into polyfill-node-apis-for-webpack-5-second-try

See the full diff

Package name: @solana/web3.js

The new version differs by 75 commits.

• 77d9352 fix: bounds check
• 5b21c65 refactor(experimental): nit: rename define to describe (Implement Batch VAAs for guardian wormhole-foundation/wormhole#2384)
• ce1be3f refactor(experimental): rename getScalarEnumCodec to getEnumCodec (#2383)
• 7e86583 refactor(experimental): rename getDataEnumCodec to getDiscriminatedUnionCodec (#2382)
• 49a764c refactor(experimental): support number and symbol discriminator values for getDataEnumCodec (node/tools: update dlv to v1.9.1 wormhole-foundation/wormhole#2381)
• bf029dd refactor(experimental): support custom discriminator property for getDataEnumCodec (node: add keccak256 as an admin command wormhole-foundation/wormhole#2380)
• 3c33220 Move comments about signature busting to the callsites that bust the signatures (node/telemetry: gRPC middleware logs don't go to telemetry wormhole-foundation/wormhole#2386)
• 4fbec68 Upgrade to Jest 30 (Adjust guardian to submit observed UTXO's to btc-contract (on wormchain) wormhole-foundation/wormhole#1914)
• 50fe84e Revert "Show no Turbo logs except when there is an error (sui/wormhole: refactor and cleanup wormhole-foundation/wormhole#2366)" (Node: Reduce info logging for pythnet wormhole-foundation/wormhole#2385)
• b566e7a Enable `require-await` linter (Tracking issue for Sui integration - Guardian software wormhole-foundation/wormhole#2353)
• 8af5427 Show no Turbo logs except when there is an error (sui/wormhole: refactor and cleanup wormhole-foundation/wormhole#2366)
• 478443f Validate that the public key generated from createKeyPairFromBytes() belongs to the private key (wormchain: add migrating contracts with vaa wormhole-foundation/wormhole#2329)
• 9370133 Negative error codes now get decoded correctly by the production error decoder (node/watchers/near: NEAR Watcher Tests are flaky wormhole-foundation/wormhole#2376)
• 6135928 Split the dependency between `compile:typedefs` and the legacy library (node/grpc: request logging is not configurable wormhole-foundation/wormhole#2370)
• 38000cb Find all misnamed Rollup configs and fix them (accountant: use token bridge governance vaa to modify balances wormhole-foundation/wormhole#2371)
• 6eded26 Bust the prettier cache any time any file changes (sdk/js: v0.9.10 release wormhole-foundation/wormhole#2369)
• c03a8d5 Strip `outputs` from the Turborepo config, because omitting it is the same as passing an empty array (sui: consider improvements for composability wormhole-foundation/wormhole#2368)
• 99a9cbe Break the `style:fix` cache any time any file changes (sui/token_bridge: refactor and cleanup wormhole-foundation/wormhole#2367)
• 4402f35 Since tests depend on _implementations_, make sure to build upstreams before running tests (accountant: minor cleanup wormhole-foundation/wormhole#2373)
• 94f2053 Move dependencies out of `devDependencies` where they are used in the implementation (Guardian native chain id verification wormhole-foundation/wormhole#2375)
• 65f262c Run `style:fix` with the new, actually working config (node/grpc: add logging of x-forwarded-for to gRPC middleware wormhole-foundation/wormhole#2365)
• d2c0daf Make the Prettier task behave more like your editor (node - solana watcher txHash fix wormhole-foundation/wormhole#2364)
• 5908de2 Patch `jest-runner-prettier` to work with Prettier 3 (sui: write documentation in READMEs and in code wormhole-foundation/wormhole#2363)
• 0a19b75 Upgrade to Turbo 1.13

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@certusone/[email protected]	network Transitive: environment, filesystem	+84	159 MB	kev1n-peters
npm/@certusone/[email protected]	None	0	877 kB	evan-gray
npm/@grpc/[email protected]	environment, filesystem, network	+21	5.62 MB	murgatroid99
npm/@improbable-eng/[email protected]	network	0	12.1 kB	marcuslongmuir
npm/@mysten/[email protected]	network	+12	5.83 MB	ebmifa
npm/@solana/[email protected]	network Transitive: environment, filesystem, shell	+56	22.9 MB	mvines
npm/@solana/[email protected]	network	+8	11 MB	_chido
npm/@types/[email protected]	Transitive: environment, eval	+18	522 kB	types
npm/@types/[email protected]	None	0	71.4 kB	types
npm/@types/[email protected]	None	0	1.66 MB	types
npm/@types/[email protected]	None	0	1.67 MB	types
npm/[email protected]	environment, network	0	389 kB	jasonsaayman
npm/[email protected]	network Transitive: environment, eval, filesystem	+5	170 kB	dougwilson
npm/[email protected]	None	0	20 kB	dougwilson
npm/[email protected]	eval, filesystem, unsafe	0	309 kB	jdalton
npm/[email protected]	Transitive: environment, filesystem, network	+49	18.2 MB	ricmoo
npm/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	+327	25.2 MB	simenb
npm/[email protected]	environment, eval, filesystem, unsafe	0	21 MB	sosukesuzuki
npm/[email protected]	environment, filesystem Transitive: eval, network, shell, unsafe	+154	10.4 MB	kul
npm/[email protected]	None	0	13.5 kB	alexjoverm
npm/[email protected]	filesystem Transitive: environment, eval, shell	+39	4.02 MB	palantir
npm/[email protected]	None	0	64 MB	typescript-bot

🚮 Removed packages: npm/@certusone/[email protected], npm/@craco/[email protected], npm/@material-ui/[email protected], npm/@material-ui/[email protected], npm/@material-ui/[email protected], npm/@metamask/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@solana/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/[email protected]	Install script: install Source: npm run build || echo "secp256k1 bindings compilation fail. Pure JS implementation will be used."	spydk/js/package-lock.json spydk/js/package.json
Install scripts	npm/[email protected]	Install script: install Source: npm run rebuild || echo "Secp256k1 bindings compilation fail. Pure JS implementation will be used."	orphan: npm/[email protected]
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json
Install scripts	npm/@injectivelabs/[email protected]	Install script: postinstall Source: link-module-alias	node/hack/governor/package-lock.json node/hack/governor/package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]
• @SocketSecurity ignore npm/@injectivelabs/[email protected]