fix: resolve Dependabot security vulnerabilities

[ignaciosantise]

Summary

• Bump transitive dependency overrides across all 8 apps: hono 4.12.7→4.12.12, undici 6.24.0→6.24.1, minimatch 9.0.7→9.0.9, picomatch 2.3.2→4.0.4, axios 1.13.5→1.15.0
• Add missing overrides: hono (expo-wallet), elliptic + @xmldom/xmldom (W3MWagmi), undici + @xmldom/xmldom (W3MEthers5)
• Remove ESM-only brace-expansion 5.0.5 override from all apps — broke pod install via RN codegen incompatibility
• Update addressable Ruby gem 2.8.7→2.9.0

Not fixable (no patched version available)

• ip 2.0.1 — latest version, no fix
• elliptic 6.6.1 — latest version, no fix
• bigint-buffer 1.1.5 — abandoned package
• brace-expansion — safe CJS versions (2.x) are vulnerable; fixed versions (4.x/5.x) are ESM-only and break RN codegen

Test plan

• npm install / yarn install succeeds in all 8 apps
• ESLint passes in all 8 apps
• JS bundle builds (iOS + Android) pass in all 8 apps
• pod install succeeds in all 4 bare RN apps (rn_cli_wallet, W3MEthers, W3MEthers5, W3MWagmi)
• TypeScript check passes (no new errors vs main)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pos-demo	Ready	Preview, Comment	Apr 10, 2026 7:09pm

[claude]

Claude finished @ignaciosantise's task in 4m 22s —— View job

---

PR Review: fix/dependabot-alerts

• Gather context (read CLAUDE.md, examine changed files)
• Run license compliance subagent
• Run breaking changes subagent
• Run data classification subagent
• Consolidate findings and post review

---

🚨 PR Too Large Files: 17 Lines: 621 Severity: HIGH Category: maintainability

This PR spans 17 files across 8 independent apps. For future security bumps, consider splitting by package manager and app tier:

• PR 1: Yarn RN apps — W3MEthers, W3MEthers5, W3MWagmi (yarn.lock + package.json ×3)
• PR 2: Yarn wallet — rn_cli_wallet (yarn.lock + package.json)
• PR 3: npm Expo apps — appkit-expo-wagmi, poc-pos-app, pos-app, expo-wallet (package-lock.json + package.json ×4)
• PR 4: Ruby — Gemfile.lock

---

Found 1 issue(s)

Issue 1: @vercel/node scoped undici override bypasses security fix

ID: pos-app-vercel-undici-scope-a3f1
File: dapps/pos-app/package.json:92
Severity: LOW
Category: security

Context:

• Pattern: "@vercel/node": { "undici": "5.29.0" } nested override exempts @vercel/node's transitive undici from the global 6.24.1 security fix applied elsewhere
• Risk: undici 5.x has a history of CVEs; the scoped override means @vercel/node's dep tree retains 5.x rather than being forced to 6.x
• Impact: If a 5.x-affecting CVE is present, server-side Vercel routes in pos-app remain exposed
• Trigger: Only relevant if a specific undici 5.x CVE applies; may be intentional for @vercel/node API compatibility

Recommendation: Document this tradeoff in the PR's "Not fixable" section, or verify that undici 5.29.0 is patched against all CVEs that triggered this PR. If @vercel/node accepts 6.x, remove the nested override:

// Remove the scoped override and rely on top-level "undici": "6.24.1"
// Test: npm install && vercel dev in pos-app

Subagent findings: License compliance ✅ (all new deps MIT/Apache-2.0) | Breaking changes ✅ (picomatch major bump only affects transitive deps, no direct imports) | Data classification ✅

[Copilot]

Pull request overview

Updates dependency override/resolution pins across multiple apps to address Dependabot-reported security vulnerabilities, while avoiding the ESM-only brace-expansion@5 override that breaks React Native codegen / pod install.

Changes:

• Bump pinned transitive dependencies (e.g., hono, undici, minimatch, picomatch, axios) to patched versions across affected apps.
• Remove the ESM-only brace-expansion@5.0.5 override and allow compatible CJS brace-expansion@2.x where required by updated minimatch.
• Update Ruby gem addressable to 2.9.0 in Gemfile.lock.

Reviewed changes

Copilot reviewed 8 out of 17 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
wallets/rn_cli_wallet/package.json	Updates Yarn resolutions pins (axios/minimatch/picomatch/undici) and removes brace-expansion@5 override.
wallets/rn_cli_wallet/yarn.lock	Lockfile updates reflecting bumped dependencies (axios → 1.15.0, minimatch → 9.0.9, picomatch → 4.0.4, etc.).
wallets/expo-wallet/package.json	Updates npm overrides pins; adds missing hono override and removes brace-expansion@5.
wallets/expo-wallet/package-lock.json	Lockfile updates for minimatch/picomatch/undici and removal of brace-expansion@5 install.
dapps/W3MWagmi/package.json	Updates Yarn resolutions pins; adds elliptic + @xmldom/xmldom pins and bumps hono/undici/minimatch/picomatch.
dapps/W3MWagmi/yarn.lock	Lockfile updates for bumped dependencies and @xmldom/xmldom consolidation to 0.8.12.
dapps/W3MEthers/package.json	Updates Yarn resolutions pins; removes brace-expansion@5 override and bumps undici/minimatch/picomatch.
dapps/W3MEthers/yarn.lock	Lockfile updates reflecting bumped minimatch/picomatch/undici and CJS brace-expansion dependency graph.
dapps/W3MEthers5/package.json	Updates Yarn resolutions pins; adds missing undici + @xmldom/xmldom overrides and bumps minimatch/picomatch.
dapps/W3MEthers5/yarn.lock	Lockfile updates for undici@6.24.1, @xmldom/xmldom@0.8.12, and related transitive changes.
dapps/pos-app/package.json	Updates npm overrides pins (hono/minimatch/picomatch/undici) and removes brace-expansion@5.
dapps/pos-app/package-lock.json	Lockfile updates reflecting minimatch/picomatch dependency changes and removal of brace-expansion@5.
dapps/poc-pos-app/package.json	Updates npm overrides pins (hono/undici/minimatch/picomatch) and removes brace-expansion@5.
dapps/poc-pos-app/package-lock.json	Lockfile updates reflecting minimatch/picomatch/undici bumps and removal of brace-expansion@5.
dapps/appkit-expo-wagmi/package.json	Updates npm overrides pins (hono/undici/minimatch/picomatch) and removes brace-expansion@5.
dapps/appkit-expo-wagmi/package-lock.json	Lockfile updates reflecting bumped pinned dependencies and dependency tree changes.
Gemfile.lock	Bumps addressable gem from 2.8.7 to 2.9.0 (and updates public_suffix upper bound).

Files not reviewed (4)

• dapps/appkit-expo-wagmi/package-lock.json: Language not supported
• dapps/poc-pos-app/package-lock.json: Language not supported
• dapps/pos-app/package-lock.json: Language not supported
• wallets/expo-wallet/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🤖 Auto Review Issue: @vercel/node scoped undici override bypasses security fix

Severity: LOW
Category: security
Tool: Claude Auto Review

Context:

• Pattern: "@vercel/node": { "undici": "5.29.0" } nested override exempts @vercel/node's transitive undici from the global 6.24.1 security fix applied elsewhere
• Risk: undici 5.x has a history of CVEs; the scoped override means @vercel/node's dep tree retains 5.x rather than being forced to 6.x
• Impact: If a 5.x-affecting CVE is present, server-side Vercel routes in pos-app remain exposed
• Trigger: Only relevant if a specific undici 5.x CVE applies; may be intentional for @vercel/node API compatibility

Recommendation: Document this tradeoff in the PR's "Not fixable" section, or verify that undici 5.29.0 is patched against all CVEs that triggered this PR. If @vercel/node accepts 6.x, remove the nested override:

// Remove the scoped override and rely on top-level "undici": "6.24.1"
// Test: npm install && vercel dev in pos-app