fix(sdk): js sdk audit warnings by adding crypto-related dependencies to package.json

[QuantumExplorer]

Issue being fixed or feature implemented

Added new dependencies for cryptographic operations to enhance security features.

What was done?

• Added cipher-base, sha.js, and tmp packages to package.json.

How Has This Been Tested?

Dependencies were added without any issues. No specific tests were run as this is a dependency update.

Breaking Changes

None

Checklist

• I have performed a self-review of my own code

• I have commented my code, particularly in hard-to-understand areas

• I have added or updated relevant unit/integration/functional/e2e tests

• I have added ! to the title and described breaking changes in the corresponding section if my code contains any.

  For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• Chores
  • Pinned transitive dependency versions to ensure consistent installs and build stability: cipher-base (^1.0.5), sha.js (^2.4.12), and tmp (^0.2.4). Formatting tweak in the resolutions section to add these entries.
  • No changes to app functionality, public APIs, or runtime behavior; this is a configuration-only update. No action required from users.

[coderabbitai]

Walkthrough

Updated dependency resolutions and Yarn PnP runtime state: added three new resolution overrides in package.json (cipher-base, sha.js, tmp) and bumped corresponding package versions and packageLocation/ dependency entries in .pnp.cjs; removed the os-tmpdir block. No runtime code, scripts, or public APIs changed.

Changes

Cohort / File(s)	Summary of Changes
Resolutions (root manifest) package.json	Added resolutions entries: cipher-base → ^1.0.5, sha.js → ^2.4.12, tmp → ^0.2.4; adjusted trailing comma after brace-expansion.
Yarn PnP runtime state .pnp.cjs	Bumped package versions and updated packageLocation/packageDependencies: cipher-base 1.0.4 → 1.0.6, sha.js 2.4.11 → 2.4.12 (added to-buffer@1.2.1 dep), tmp entries → 0.2.5; removed os-tmpdir block. Changes limited to lock/runtime metadata.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore: update js dependencies to latest versions #2678 — updates Yarn PnP runtime state for sha.js (adds to-buffer@1.2.1) and bumps related package versions.

Suggested reviewers

• pauldelucia
• lklimek

Poem

I nibble at strings and tidy the tree,
Pinning small packages for harmony.
A comma hops in, a block drifts away,
Versions updated — ready to play.
(_/) 🥕 — rabbit-keeper of dependency day.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch featadd-crypto-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.pnp.cjs (1)

7622-7626: Top-level cipher-base entry updated to 1.0.6 — correct and consistent.

This satisfies the advisory (fixed in ≥1.0.5). Consider auditing any security-critical hashing to prefer Node’s crypto/WebCrypto over browserify polyfills. (osv.dev)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8796285 and 0897e41.

⛔ Files ignored due to path filters (6)

• .yarn/cache/cipher-base-npm-1.0.4-2e98b97140-3d5d6652ca.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/os-tmpdir-npm-1.0.2-e305b0689b-5666560f7b.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/sha.js-npm-2.4.11-14868df4ca-d833bfa3e0.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/tmp-npm-0.0.33-bcbf65df2a-09c0abfd16.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/tmp-npm-0.2.1-a9c8d9c0ca-445148d72d.zip is excluded by !**/.yarn/**, !**/*.zip
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• .pnp.cjs (10 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: QuantumExplorer
PR: dashpay/platform#2257
File: packages/rs-drive-abci/src/mimic/test_quorum.rs:159-164
Timestamp: 2024-11-20T16:16:01.830Z
Learning: QuantumExplorer prefers not to receive auto-generated messages asking to post on social media.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Docker images (Dashmate helper, dashmate-helper, dashmate-helper) / Build Dashmate helper image
• GitHub Check: Build Docker images (DAPI, dapi, dapi) / Build DAPI image
• GitHub Check: Build JS packages / Build JS

🔇 Additional comments (9)

.pnp.cjs (9)

6920-6920: Good: browserify-des now depends on cipher-base 1.0.6.

Aligns transitive deps with the patched version. (osv.dev)

---

8461-8466: create-hmac now on cipher-base 1.0.6 and sha.js 2.4.12 — good.

Both address recent CVEs. (osv.dev, github.com)

---

10447-10447: tmp bumped to 0.2.5 under inquirer — includes fix for symlink-write vuln.

CVE fixed in ≥0.2.4; 0.2.5 is current and non-vulnerable. (github.com, security.snyk.io)

---

13135-13135: tmp 0.2.5 used by webpack-dev-server path — consistent with patched range.

Tracks the fixed series (≥0.2.4). (github.com)

---

16013-16014: sha.js dependency set to 2.4.12 and adds to-buffer 1.2.1 — matches upstream fix.

2.4.12 is the patched release; the to-buffer dep is expected. (github.com)

---

17455-17461: New sha.js block at 2.4.12 — resolves CVE-2025-9288.

Good to see safe-buffer and to-buffer listed per the patched release. (github.com, advisories.gitlab.com)

---

6894-6894: cipher-base is pinned at v1.0.6 with no older vulnerable versions detected.

---

18877-18880: tmp version verified
Only tmp@0.2.5 is present in .pnp.cjs; no older versions remain.

---

8436-8452: Approve – only fixed dependency versions present
Verification confirms that .pnp.cjs references solely sha.js@2.4.12 and cipher-base@1.0.6, with no stray vulnerable versions.