fix: depentabot h3

[mgrabina]

Fix: Resolve h3 HTTP Request Smuggling vulnerability (Dependabot)

Summary

Adds a Yarn resolution to force the transitive dependency h3 to ^1.15.5, fixing a critical HTTP Request Smuggling issue (Dependabot alert).

Background

• Vulnerability: In h3 ≤ 1.15.4, Transfer-Encoding is checked in a case-sensitive way. Requests with Transfer-Encoding: ChuNked (or other casing) are treated as having no body, which can lead to TE.TE desync and request smuggling when running behind L4 proxies or non-header-normalizing infrastructure.
• Exposure: We don’t depend on h3 directly. It is pulled in transitively:
  • wagmi → @wagmi/connectors → @walletconnect/ethereum-provider → @walletconnect/keyvaluestorage → unstorage → h3
• Our lockfile had h3@1.13.0 (vulnerable). The fix is in h3@1.15.5+.

Approach

• Chosen fix: A single resolutions entry in package.json to force the whole dependency tree to use h3@^1.15.5.
• Why resolutions: We can’t “upgrade h3” as a direct dependency because it’s transitive. Resolutions tell Yarn to satisfy every h3 request with the patched version, without upgrading wagmi/WalletConnect/unstorage and without risking breaking changes from a larger unstorage upgrade.
• Risk: Low — 1.15.5 is a patch release; no intentional API changes. Unstorage’s latest already uses h3@^1.15.5; we’re aligning the rest of the tree with that.

Changes

• package.json: Added:

  "resolutions": {
    "h3": "^1.15.5"
  }

• yarn.lock: Regenerated so all h3 usages resolve to 1.15.5+.

Follow-up

• When the WalletConnect/unstorage stack eventually depends on h3@^1.15.5 and the lockfile naturally picks it up, this resolution can be removed.
• Resolves the Dependabot alert for h3.

Closes AAVE-3654

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
interface	Ready	Preview, Comment	Feb 10, 2026 5:05pm

[github-actions]

❌ CI run has failed!
Please see logs at https://github.com/aave/interface/actions/runs/21874645431'

[mgrabina]

@codex

[linear]

AAVE-3654 [Vanta] Remediate "High vulnerabilities identified in packages are addressed (GitHub Repo)" for npm-h3 <= 1.15.4/CVE-2026-23527 (interface)

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".