Skip to content

Vulnerable pinned sub-dependencies: @trezor/connect-web alpha pulls a critical protobufjs (GHSA-xq3m-2v4x-88gg) #97

Description

@actarus314

Summary

@creit.tech/stellar-wallets-kit resolves to a sub-dependency tree carrying 45 known advisories (1 critical, 21 high) as reported by npm audit. The count is identical on both the current 2.3.0 and the latest 2.4.0 — bumping the kit does not help, because the affected sub-dependencies are pinned to exact versions that are the same in both releases.

Root cause

The kit pins two sub-dependencies to versions whose transitive trees are vulnerable:

  1. @trezor/connect-web@10.0.0-alpha.1 (a pre-release alpha) → @trezor/protobuf@10.0.0-alpha.1protobufjs ≤ 7.6.2, which is affected by:

    The stable line @trezor/connect-web@9.7.3 is available, and protobufjs is fixed in >= 7.6.3 (latest 8.x).

  2. @reown/appkit@1.8.19 → high advisories via viem and ws (e.g. GHSA-96hv-2xvq-fx4p — ws memory-exhaustion DoS, fixed in ws >= 8.20.2). @reown/appkit@1.8.21 is available upstream.

Because these ranges are pinned exactly, downstream consumers cannot remediate via npm overrides without risking breakage of the wallet-connect flow.

Reproduction

npm init -y
npm i @creit.tech/stellar-wallets-kit@2.4.0 --package-lock-only
npm audit
# => 45 vulnerabilities (18 low, 5 moderate, 21 high, 1 critical)
# identical result with @2.3.0

Impact

The critical (protobufjs ACE) and the highs live entirely in the kit's sub-tree. Consumers who prune dev-dependencies keep a clean server runtime, but the affected code is still part of the bundled wallet-connect client surface (Trezor / Reown). Most importantly, the kit itself ships these advisories to every integrator.

Requested fix

  • Move @trezor/connect-web off the 10.0.0-alpha.1 pre-release — either to the stable 9.7.x line, or to a v10 release once it depends on protobufjs >= 7.6.3.
  • Bump @reown/appkit to >= 1.8.21.
  • Consider using caret/semver ranges for these sub-dependencies (instead of exact pins) so patch-level security fixes flow through to integrators automatically.

Environment

  • @creit.tech/stellar-wallets-kit: 2.3.0 and 2.4.0 (both reproduce)
  • npm 11.16.0, Node 26

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions