Skip to content

[Aikido] Fix security issue in viem via minor version upgrade from 2.21.44 to 2.21.49 #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Aikido] Fix security issue in viem via minor version upgrade from 2.21.44 to 2.21.49 #353

wants to merge 1 commit into from

Conversation

aikido-autofix[bot]
Copy link

@aikido-autofix aikido-autofix bot commented Sep 9, 2025
edited by pr-codex bot
Loading

This PR will resolve the following CVEs:

CVE ID Severity Description 
AIKIDO-2024-10466
 
MEDIUM
 Affected versions of this package are vulnerable due to insufficient entropy in the signature algorithm. The nonce (or k) used in transaction signatures must be unique for every message. Reusing the same nonce across different messages allows attackers to exploit the weakness and recover the pri...

PR-Codex overview

This PR focuses on updating various dependencies in the package.json and pnpm-lock.yaml files, ensuring compatibility with newer versions and fixing version constraints for specific packages.

Detailed summary

  • Updated @eslint/plugin-kit version constraint in package.json.
  • Added viem@<=2.21.49 in package.json and pnpm-lock.yaml.
  • Updated terser version from 5.37.0 to 5.43.1 in pnpm-lock.yaml.
  • Updated yaml version from 2.7.0 to 2.8.1 in pnpm-lock.yaml.
  • Updated @privy-io/react-auth version from 2.13.8 to 2.24.0.
  • Updated @privy-io/js-sdk-core version from 0.50.8 to 0.54.2.
  • Updated @privy-io/public-api version from 2.32.0 to 2.44.2.
  • Updated @privy-io/ethereum version from 0.0.1 to 0.0.2.
  • Updated @privy-io/chains version from 0.0.1 to 0.0.2.
  • Updated @reown/appkit version from 1.7.8 to 1.8.4.
  • Updated @reown/appkit-utils version from 1.7.8 to 1.8.4.
  • Updated @reown/appkit-wallet version from 1.7.8 to 1.8.4.
  • Updated valtio version from 1.13.2 to 2.1.7.

The following files were skipped due to too many changes: pnpm-lock.yaml

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

@aikido-autofix aikido-autofix bot added the dependencies Pull requests that update a dependency file label Sep 9, 2025
@aikido-autofix aikido-autofix bot requested a review from cygaar as a code owner September 9, 2025 22:33
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 9, 2025

⚠️ No Changeset found

Latest commit: 86e34bf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@aikido-autofix aikido-autofix bot closed this Sep 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coffeexcoin coffeexcoin Awaiting requested review from coffeexcoin coffeexcoin is a code owner

@cygaar cygaar Awaiting requested review from cygaar cygaar is a code owner

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants