[Snyk] Fix for 4 vulnerabilities

[kalbroni7]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • client/package.json
  • client/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	224/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00043, Social Trends: No, Days since published: 69, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 8.63, Likelihood: 2.59, Score Version: V5	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	Yes	Proof of Concept
	224/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 69, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 8.63, Likelihood: 2.59, Score Version: V5	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	Yes	Proof of Concept
	224/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00043, Social Trends: No, Days since published: 69, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 8.63, Likelihood: 2.59, Score Version: V5	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	Yes	Proof of Concept
	170/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.83, Score Version: V5	Improper Validation of Integrity Check Value SNYK-JS-SECP256K1-8237220	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @solana/web3.js

The new version differs by 53 commits.

• 7141986 fix: replace tweetnacl impl
• ef5a6da Update rollup script to exclude new secp256k1 and hmac/sha256 dependencies (#27428)
• f8b5608 [web3.js] Replace sha256 and secp256k1 impls (#27390)
• 8e30e66 feat: add support for creating version 0 transactions (#27142)
• 4f2d052 [web3.js] Eliminate dependency on `URL` class (#27349)
• 8d5e263 chore: bump eslint-plugin-mocha from 10.0.4 to 10.1.0 in /web3.js (#27332)
• 40022a3 chore: bump @ commitlint/travis-cli from 17.0.0 to 17.0.3 in /web3.js (#27331)
• eaa318d chore: bump @ babel/register from 7.17.7 to 7.18.9 in /web3.js (#27330)
• 9abf36c chore: bump @ babel/core from 7.18.0 to 7.18.13 in /web3.js (#27329)
• 2cc39ab VoteProgram.safeWithdraw function to safeguard against accidental vote account closures (#26586)
• 55652a0 chore: bump @ babel/preset-env from 7.18.0 to 7.18.10 in /web3.js (#27138)
• 659067b chore: add constant for pubkey byte length (#27134)
• 895de4c feat: add getAddressLookupTable method to Connection (#27127)
• 732f8aa chore: restructure utils code
• 81a1d2c chore: restructure program files
• 53dd609 chore: restucture message files
• 9823da7 chore: restructure transaction files
• 7d05857 feat: support minContextSlot in getParsedAccountInfo method (#27084)
• d7ed86a chore: annotate more types as deprecated (#27067)
• bbfd5d3 feat: handle `loadedAddresses` field in tx meta responses (#27065)
• 3708ea1 chore: update `tweetnacl` dependency to 1.0.3 explicitly (#26907)
• 2dc0551 chore: Update web3.js README to ask that contributions and issues regarding web3.js be filed against the monorepo and not the mirror
• 091faf5 fix: (web3.js) clear the idle timer whenever the websocket closes (#26734)
• 85a6a3f feat(web3.js): add support for get stake minimum delegation (#26682)

See the full diff

Package name: @toruslabs/fetch-node-details

The new version differs by 209 commits.

• 512e54f v14.0.0
• 945cefe lock file
• e47ce4d Merge pull request Fix reconnection bugs solana-labs/break#94 from torusresearch/feat/update-deps
• dae6508 update deps
• dd3393e v13.4.0
• 65f4bec Update deps
• 4907693 Merge pull request Bring back 15 second screen solana-labs/break#84 from torusresearch/feat/celeste-migration
• 56dec7f fix celeste test
• 9672d0c fix test
• 08f9286 switch celeste endpoints
• 896e5be v13.3.0
• a7c7906 Merge pull request Design pass solana-labs/break#83 from torusresearch/feat/tss-frost-url
• a9c654a Merge pull request Fix server startup solana-labs/break#82 from torusresearch/PD-3415/sentry-sample-rate-configurable
• de02266 added support for tss-frost endpoints
• 8aa27c4 fix: configurable sentry rate
• 85705cb chore: update deps
• 7591401 Merge pull request Always use https in client when connecting to RPC solana-labs/break#81 from torusresearch/feat/add-request-id
• 1680906 remove unused dependencies
• 1b04c96 feat: return trace-id in response header
• 76323d3 add requestId to Sentry currentScope extra
• a6f5f5d feat: introduce `X-Request-Id` header
• 88f1375 Merge pull request Decrease the balance sent to each created account to preserve SOL solana-labs/break#80 from torusresearch/feat/new-deps-version
• 1676587 Merge branch 'master' into feat/new-deps-version
• 796f92c chore: update http-helpers and loglevel-sentry

See the full diff

Package name: @toruslabs/torus.js

The new version differs by 250 commits.

• 5404293 Merge pull request Use single commitment by default solana-labs/break#168 from torusresearch/resolve-cve
• 3e9654f replace ts node and babel with tsx
• a39debf only fake the date class instead of all sub timers like next tick
• 21272f3 Fixes CVE-2024-42459
• 233cf21 Release 15.1.0
• ceb7538 Merge pull request Fix results avg conf time calculation solana-labs/break#166 from torusresearch/alpha
• ad5477c Merge pull request Fix typo in api response handling solana-labs/break#167 from torusresearch/feat/getOrSetTssPubkey
• c701538 cleanup
• d2a6da4 added helper function for get or set tss dkg pub key
• 3d58fd5 Release 15.1.0-0
• b745055 Merge remote-tracking branch 'origin' into alpha
• 5881a07 Merge pull request Transaction finalization check isn't correct solana-labs/break#163 from torusresearch/feat/remove-commitments
• 09a5c8d add more tessts
• 1fbbf07 Release 15.0.5
• 5ccdd09 Merge pull request Split accounts to avoid writing accounts sequentially solana-labs/break#165 from torusresearch/fix/decryption-key-padding
• d7434a0 Update src/helpers/metadataUtils.ts
• 366ead0 fix error msg
• 2a9fc69 fix decryption key padding for ed25519
• 3a84281 made commitment flow optional
• 7620150 Release 15.0.4
• 2d01fd4 Merge pull request Add retry_until config url param solana-labs/break#164 from torusresearch/fix/ed25519-use-dkg
• 09113c1 enforce useDkg to false for ed25519
• f83417e error check fixed for non commitment lookups
• 4cb0c73 Update LICENSE

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@solana/[email protected]	network	+6	10.6 MB	_chido
npm/@toruslabs/[email protected]	Transitive: network	+5	701 kB	chaitanyapotti
npm/@toruslabs/[email protected]	None	+5	1.21 MB	chaitanyapotti

🚮 Removed packages: npm/@solana/[email protected], npm/@toruslabs/[email protected], npm/@toruslabs/[email protected]

View full report↗︎