fix: bump and dedupe vulnerable packages [LW-12987, LW-12986] (#1890)

* fix: bump and dedupe axios (CVE-2025-27152)

* fix: bump openpgp (CVE-2025-47934)

Author: przemyslaw-wlodek

apps/browser-extension-wallet/package.json

@@ -98,7 +98,6 @@
     "little-state-machine": "4.8.0",
     "lodash": "4.17.21",
     "node-abort-controller": "^3.1.1",
-    "openpgp": "^5.11.2",
     "p-debounce": "^4.0.0",
     "pluralize": "^8.0.0",
     "posthog-js": "^1.161.3",

apps/browser-extension-wallet/src/utils/pgp.ts

@@ -1,5 +1,5 @@
 /* eslint-disable unicorn/no-null */
-import { createMessage, decrypt, encrypt, readKey, readMessage, readPrivateKey, decryptKey } from 'openpgp';
+import { createMessage, decrypt, encrypt, readKey, readMessage, readPrivateKey, decryptKey, enums } from 'openpgp';
 import type { Key, MaybeArray, Message, PartialConfig, PrivateKey, PublicKey } from 'openpgp';
 import { i18n } from '@lace/translation';
 import type { PublicPgpKeyData } from '@src/types';
@@ -127,7 +127,7 @@ export const encryptMessageWithPgpAsBinaryFormat = async ({
     signingKeys: privateKeys,
     format: 'binary',
     config: {
-      deflateLevel: 9
+      preferredCompressionAlgorithm: enums.compression.zlib
     }
   });
 

apps/browser-extension-wallet/test/jest.setup.js

@@ -28,6 +28,12 @@ if (typeof global.TextDecoder === 'undefined') {
   global.TextDecoder = TextDecoder;
 }
 
+// Add WebCrypto API polyfill, required for openpgp.js
+const { webcrypto } = require('node:crypto');
+if (typeof global.crypto === 'undefined') {
+  global.crypto = webcrypto;
+}
+
 // Add Uint8Array to prototype chain of Buffer, so that it behaves the same in jsdom as in nodejs and polyfilled browser env
 let Type = Buffer;
 while (Type.prototype) Type = Type.prototype;

package.json

@@ -109,11 +109,15 @@
     "ws@^8.2.3": "^8.17.1",
     "ws@^8.4.2": "^8.17.1",
     "ws@^8.5.0": "^8.17.1",
-    "ws@^8.8.0": "^8.17.1"
+    "ws@^8.8.0": "^8.17.1",
+    "axios": "^1.9.0",
+    "openpgp": "^6.1.1"
   },
   "dependencies": {
     "@input-output-hk/lace-ui-toolkit": "3.5.0",
+    "axios": "^1.9.0",
     "normalize.css": "^8.0.1",
+    "openpgp": "^6.1.1",
     "uuid": "^8.3.2"
   },
   "devDependencies": {

packages/bitcoin/package.json

@@ -43,7 +43,6 @@
     "@bitcoinerlab/secp256k1": "^1.2.0",
     "@lace/common": "0.1.0",
     "@scure/bip32": "^1.6.0",
-    "axios": "^1.7.9",
     "bip39": "^3.1.0",
     "bitcoinjs-lib": "^6.1.7",
     "bn.js": "^5.2.1",
@@ -66,7 +65,6 @@
     "@types/bn.js": "^5.1.6",
     "@types/pbkdf2": "^3",
     "@types/webextension-polyfill": "0.10.0",
-    "axios": "^1.7.4",
     "ecpair": "^3.0.0",
     "rollup-plugin-polyfill-node": "^0.8.0",
     "ts-log": "^2.2.7",

packages/cardano/package.json

@@ -76,7 +76,6 @@
     "@cardano-sdk/util-dev": "0.25.16",
     "@emurgo/cardano-message-signing-browser": "1.0.1",
     "@types/webextension-polyfill": "0.10.0",
-    "axios": "^1.8.2",
     "rollup-plugin-polyfill-node": "^0.8.0",
     "ts-log": "^2.2.7",
     "type-fest": "^4.26.1",

test/createJestConfig.js

@@ -18,7 +18,8 @@ const esmExceptions = jestEsmExceptions([
   'p-retry',
   'p-debounce',
   'react-icons',
-  'bip32'
+  'bip32',
+  'openpgp'
 ]);
 
 const rootDir = process.cwd();

yarn.lock

@@ -12405,7 +12405,6 @@ __metadata:
     "@types/bn.js": ^5.1.6
     "@types/pbkdf2": ^3
     "@types/webextension-polyfill": 0.10.0
-    axios: ^1.7.4
     bip39: ^3.1.0
     bitcoinjs-lib: ^6.1.7
     bn.js: ^5.2.1
@@ -12501,7 +12500,6 @@ __metadata:
     lodash: 4.17.21
     node-abort-controller: ^3.1.1
     npm-run-all: 4.1.5
-    openpgp: ^5.11.2
     p-debounce: ^4.0.0
     pluralize: ^8.0.0
     posthog-js: ^1.161.3
@@ -12551,7 +12549,6 @@ __metadata:
     "@stablelib/chacha20poly1305": 1.0.1
     "@trezor/transport": ^1.1.18
     "@types/webextension-polyfill": 0.10.0
-    axios: ^1.8.2
     bignumber.js: 9.0.1
     buffer: 6.0.3
     classnames: 2.3.1
@@ -26472,7 +26469,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"asn1.js@npm:^5.0.0, asn1.js@npm:^5.2.0":
+"asn1.js@npm:^5.2.0":
   version: 5.4.1
   resolution: "asn1.js@npm:5.4.1"
   dependencies:
@@ -26703,55 +26700,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"axios@npm:^0.21.1":
-  version: 0.21.4
-  resolution: "axios@npm:0.21.4"
-  dependencies:
-    follow-redirects: ^1.14.0
-  checksum: 44245f24ac971e7458f3120c92f9d66d1fc695e8b97019139de5b0cc65d9b8104647db01e5f46917728edfc0cfd88eb30fc4c55e6053eef4ace76768ce95ff3c
-  languageName: node
-  linkType: hard
-
-"axios@npm:^0.27.2":
-  version: 0.27.2
-  resolution: "axios@npm:0.27.2"
-  dependencies:
-    follow-redirects: ^1.14.9
-    form-data: ^4.0.0
-  checksum: 38cb7540465fe8c4102850c4368053c21683af85c5fdf0ea619f9628abbcb59415d1e22ebc8a6390d2bbc9b58a9806c874f139767389c862ec9b772235f06854
-  languageName: node
-  linkType: hard
-
-"axios@npm:^1.6.1":
-  version: 1.6.3
-  resolution: "axios@npm:1.6.3"
-  dependencies:
-    follow-redirects: ^1.15.0
-    form-data: ^4.0.0
-    proxy-from-env: ^1.1.0
-  checksum: 07ef3bb83fc2dacc1ae2c97f2bbd04ef7701f5655f9037789d79ee78b698ffa50eaa8465c2017d4d3e9ce7d94cb779f730acaab32ce9036d0a4933c1e89df4da
-  languageName: node
-  linkType: hard
-
-"axios@npm:^1.7.4":
-  version: 1.7.7
-  resolution: "axios@npm:1.7.7"
-  dependencies:
-    follow-redirects: ^1.15.6
-    form-data: ^4.0.0
-    proxy-from-env: ^1.1.0
-  checksum: 882d4fe0ec694a07c7f5c1f68205eb6dc5a62aecdb632cc7a4a3d0985188ce3030e0b277e1a8260ac3f194d314ae342117660a151fabffdc5081ca0b5a8b47fe
-  languageName: node
-  linkType: hard
-
-"axios@npm:^1.8.2":
-  version: 1.8.3
-  resolution: "axios@npm:1.8.3"
+"axios@npm:^1.9.0":
+  version: 1.9.0
+  resolution: "axios@npm:1.9.0"
   dependencies:
     follow-redirects: ^1.15.6
     form-data: ^4.0.0
     proxy-from-env: ^1.1.0
-  checksum: 85fc8ad7d968e43ea9da5513310637d29654b181411012ee14cc0a4b3662782e6c81ac25eea40b5684f86ed2d8a01fa6fc20b9b48c4da14ef4eaee848fea43bc
+  checksum: 631f02c9c279f2ae90637a4989cc9d75c1c27aefd16b6e8eb90f98a4d0bddaccfd1cb1387be12101d1ab0f9bbf0c47e2451b4de0cf2870462a7d9ed3de8da3f2
   languageName: node
   linkType: hard
 
@@ -43023,6 +42979,7 @@ __metadata:
     "@types/zxcvbn": ^4.4.1
     "@typescript-eslint/eslint-plugin": ^4.29.0
     "@typescript-eslint/parser": ^4.29.0
+    axios: ^1.9.0
     babel-jest: 28.1.3
     babel-loader: 8.2.2
     browserify-zlib: ^0.2.0
@@ -43063,6 +43020,7 @@ __metadata:
     node-sass: 9.0.0
     normalize.css: ^8.0.1
     npm-run-all: 4.1.5
+    openpgp: ^6.1.1
     p-retry: 5.1.2
     postcss: 8.4.31
     prettier: ^2.3.2
@@ -46997,12 +46955,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"openpgp@npm:^5.11.2":
-  version: 5.11.2
-  resolution: "openpgp@npm:5.11.2"
-  dependencies:
-    asn1.js: ^5.0.0
-  checksum: 1e7627e4dc89add906cb0c1060b50dfcee40817fd425a5077b7c1abe44f5176d2433d66f1dfca0ad04f3c69bb3714f1a3afca1c578f40c436941266feecfa679
+"openpgp@npm:^6.1.1":
+  version: 6.1.1
+  resolution: "openpgp@npm:6.1.1"
+  checksum: 364efcaf6fb308e59d777adaa874dbe716962f5adbcafaff263cfc2754820af278f5455cc6955025d366fab9b1a0a0b170f2a3c2069f9d8d79f44cd55c13fbb5
   languageName: node
   linkType: hard