Skip to content

fix: resolve store2 vulnerability via yarn resolution #7064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2025
Merged

fix: resolve store2 vulnerability via yarn resolution #7064

merged 1 commit into from
Sep 25, 2025

Conversation

@Redennison
Copy link
Contributor

@Redennison Redennison commented Sep 23, 2025
edited
Loading

Description

Applied targeted resolution to pin store2 to 2.14.4 for avalanche package. This addresses GHSA-w5hq-hm5m-4548, a low-severity XSS vulnerability.

The ticket requested updating avalanche to a version with store2 2.14.4+, however the latest avalanche version (3.16.0) only includes store2 2.14.2. Used resolution to force avalanche@3.15.3 to use store2@2.14.4 instead of vulnerable 2.13.2.

Direct store2 usage audit: No direct store2.get() operations found in codebase

  • Searched for store2.get and store.get

localStorage XSS vectors review: No vulnerable patterns found

  • All localStorage usage is safe (documentation examples only)

Input validation: N/A (No user-controlled data used in store operations)

Issue Number

Ticket: DX-1562

How Has This Been Tested?

  • yarn audit - GHSA-w5hq-hm5m-4548 resolved, no store2 vulnerabilities
  • yarn unit-test - All tests successful

@Redennison Redennison force-pushed the DX-1562-address-store2-vulnerability branch from 0fcdb58 to 8dd30d9 Compare September 23, 2025 14:57
@Redennison Redennison marked this pull request as ready for review September 23, 2025 20:35
@Redennison Redennison requested a review from a team as a code owner September 23, 2025 20:35
@Redennison Redennison merged commit f5dd019 into master Sep 25, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@starfy84 starfy84 starfy84 approved these changes

+1 more reviewer

@rishikodali-bitgo rishikodali-bitgo rishikodali-bitgo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Redennison @starfy84 @rishikodali-bitgo