Summary
@creit.tech/stellar-wallets-kit resolves to a sub-dependency tree carrying 45 known advisories (1 critical, 21 high) as reported by npm audit. The count is identical on both the current 2.3.0 and the latest 2.4.0 — bumping the kit does not help, because the affected sub-dependencies are pinned to exact versions that are the same in both releases.
Root cause
The kit pins two sub-dependencies to versions whose transitive trees are vulnerable:
-
@trezor/connect-web@10.0.0-alpha.1 (a pre-release alpha) → @trezor/protobuf@10.0.0-alpha.1 → protobufjs ≤ 7.6.2, which is affected by:
The stable line @trezor/connect-web@9.7.3 is available, and protobufjs is fixed in >= 7.6.3 (latest 8.x).
-
@reown/appkit@1.8.19 → high advisories via viem and ws (e.g. GHSA-96hv-2xvq-fx4p — ws memory-exhaustion DoS, fixed in ws >= 8.20.2). @reown/appkit@1.8.21 is available upstream.
Because these ranges are pinned exactly, downstream consumers cannot remediate via npm overrides without risking breakage of the wallet-connect flow.
Reproduction
npm init -y
npm i @creit.tech/stellar-wallets-kit@2.4.0 --package-lock-only
npm audit
# => 45 vulnerabilities (18 low, 5 moderate, 21 high, 1 critical)
# identical result with @2.3.0
Impact
The critical (protobufjs ACE) and the highs live entirely in the kit's sub-tree. Consumers who prune dev-dependencies keep a clean server runtime, but the affected code is still part of the bundled wallet-connect client surface (Trezor / Reown). Most importantly, the kit itself ships these advisories to every integrator.
Requested fix
- Move
@trezor/connect-web off the 10.0.0-alpha.1 pre-release — either to the stable 9.7.x line, or to a v10 release once it depends on protobufjs >= 7.6.3.
- Bump
@reown/appkit to >= 1.8.21.
- Consider using caret/semver ranges for these sub-dependencies (instead of exact pins) so patch-level security fixes flow through to integrators automatically.
Environment
@creit.tech/stellar-wallets-kit: 2.3.0 and 2.4.0 (both reproduce)
- npm 11.16.0, Node 26
Summary
@creit.tech/stellar-wallets-kitresolves to a sub-dependency tree carrying 45 known advisories (1 critical, 21 high) as reported bynpm audit. The count is identical on both the current2.3.0and the latest2.4.0— bumping the kit does not help, because the affected sub-dependencies are pinned to exact versions that are the same in both releases.Root cause
The kit pins two sub-dependencies to versions whose transitive trees are vulnerable:
@trezor/connect-web@10.0.0-alpha.1(a pre-release alpha) →@trezor/protobuf@10.0.0-alpha.1→protobufjs≤ 7.6.2, which is affected by:The stable line
@trezor/connect-web@9.7.3is available, andprotobufjsis fixed in>= 7.6.3(latest 8.x).@reown/appkit@1.8.19→ high advisories viaviemandws(e.g. GHSA-96hv-2xvq-fx4p — ws memory-exhaustion DoS, fixed inws >= 8.20.2).@reown/appkit@1.8.21is available upstream.Because these ranges are pinned exactly, downstream consumers cannot remediate via npm
overrideswithout risking breakage of the wallet-connect flow.Reproduction
Impact
The critical (
protobufjsACE) and the highs live entirely in the kit's sub-tree. Consumers who prune dev-dependencies keep a clean server runtime, but the affected code is still part of the bundled wallet-connect client surface (Trezor / Reown). Most importantly, the kit itself ships these advisories to every integrator.Requested fix
@trezor/connect-weboff the10.0.0-alpha.1pre-release — either to the stable9.7.xline, or to a v10 release once it depends onprotobufjs >= 7.6.3.@reown/appkitto>= 1.8.21.Environment
@creit.tech/stellar-wallets-kit: 2.3.0 and 2.4.0 (both reproduce)