Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@cosmjs/[email protected] security vulnerability in dependency [email protected] #1618

Closed
300apm opened this issue Jan 6, 2025 · 2 comments · Fixed by #1623
Closed

@cosmjs/[email protected] security vulnerability in dependency [email protected] #1618

300apm opened this issue Jan 6, 2025 · 2 comments · Fixed by #1623

Comments

@300apm
Copy link

300apm commented Jan 6, 2025

The package @cosmjs/[email protected] has a dependency @confio/[email protected] which has a dependency [email protected] that has a security vulnerability: GHSA-g954-5hwp-pp24

@confio/[email protected] has not been updated for more than 3 years.

Are there any plans to fix this? Dependabot has marked this as Critical

Thanks!
@webmaster128
Copy link
Member

webmaster128 commented Jan 7, 2025
edited
Loading

Thank you for bringing this up!

I added a deprecation message to @confio/ics23 to explain what happened here. This means the latest CosmJS depends on unmaintained packages and packages with open issues.

While I still do have access here, me and Confio doe not have a mandate to work on CosmJS for more than 1 year now. This is why such things are not addressed at this point.

This was referenced Jan 14, 2025
Closed
Merged
@webmaster128
Copy link
Member

CosmJS 0.33.0 released today removed the @confio/ics23 dependency and ICS23 features. protobufjs was upgraded to v7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@webmaster128 @300apm