Skip to content

[Aikido] Fix 3 medium issues in viem, @metamask/sdk, @metamask/sdk-communication-layer #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Aikido] Fix 3 medium issues in viem, @metamask/sdk, @metamask/sdk-communication-layer #356

wants to merge 1 commit into from

Conversation

aikido-autofix[bot]
Copy link

@aikido-autofix aikido-autofix bot commented Sep 23, 2025
edited by pr-codex bot
Loading

This PR will resolve the following CVEs:

CVE ID Severity Description 
AIKIDO-2024-10466
 
MEDIUM
 Affected versions of this package are vulnerable due to insufficient entropy in the signature algorithm. The nonce (or k) used in transaction signatures must be unique for every message. Reusing the same nonce across different messages allows attackers to exploit the weakness and recover the pri... 
GHSA-qj3p-xc97-xw74
 
MEDIUM
 ### Who is affected?
This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application:
- Installed MetaMask SDK into a project with a lockfile for the first time

PR-Codex overview

This PR updates the package.json and pnpm-lock.yaml files to modify dependencies, add new packages, and adjust existing package versions, ensuring compatibility and improvements in the project.

Detailed summary

  • Updated packageManager to [email protected].
  • Adjusted lint-staged configuration formatting.
  • Added new dependencies: [email protected], @metamask/[email protected], @metamask/[email protected], @base-org/[email protected].
  • Updated @privy-io/react-auth version from 2.13.8 to 2.25.0.
  • Updated @privy-io/api-base version from 1.5.1 to 1.7.0.
  • Updated @privy-io/chains version from 0.0.1 to 0.0.2.
  • Updated @reown/appkit version from 1.7.8 to 1.8.6.
  • Updated viem dependency versions across multiple packages.
  • Removed deprecated packages and updated their respective dependencies.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

@aikido-autofix aikido-autofix bot added the dependencies Pull requests that update a dependency file label Sep 23, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 23, 2025

⚠️ No Changeset found

Latest commit: 47c1a72

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@aikido-autofix aikido-autofix bot closed this Sep 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coffeexcoin coffeexcoin Awaiting requested review from coffeexcoin coffeexcoin is a code owner

@cygaar cygaar Awaiting requested review from cygaar cygaar is a code owner

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants