[Snyk] Fix for 1 vulnerabilities

[SMSDAO]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LODASH-15053838	631

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[Copilot]

Pull request overview

This PR updates two Drift Labs dependencies to address a prototype pollution vulnerability (SNYK-JS-LODASH-15053838) in the lodash dependency chain. However, the automated update process failed to regenerate the pnpm-lock.yaml file, which is explicitly noted in the PR description warning.

Changes:

• Upgrade @drift-labs/sdk from 2.109.0-beta.11 to 2.129.0 (stable release)
• Upgrade @drift-labs/vaults-sdk from ^0.3.29 to ^0.9.90

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The pnpm-lock.yaml file was not updated with these dependency changes. This is a critical issue that must be resolved before merging. The PR description explicitly warns "Failed to update the pnpm-lock.yaml, please update manually before merging."

Without updating the lock file:

1. The actual versions installed may differ from what's specified
2. The security fix may not be applied
3. Build reproducibility is compromised
4. Other developers won't get the same dependency tree

You need to run pnpm install to regenerate the pnpm-lock.yaml file with these new package versions before this PR can be merged.

Suggested change

	"@drift-labs/vaults-sdk": "^0.9.90",
	"@drift-labs/vaults-sdk": "^0.9.89",

[Copilot]

This is a significant version jump from 2.109.0-beta.11 to 2.129.0, spanning approximately 20 minor versions and moving from a beta release to a stable release. This change carries substantial risk of introducing breaking changes or behavioral differences.

Key concerns:

1. The jump crosses many intermediate versions (2.110.0 through 2.128.0)
2. Transitions from beta to stable, which may include API changes
3. The codebase uses multiple imports from this package (MainnetSpotMarkets, MainnetPerpMarkets, DriftClient, User, VaultClient, etc.) in src/tools/drift/ and src/actions/drift/
4. Without the updated pnpm-lock.yaml, you cannot verify transitive dependency changes

Before merging, you should:

1. Review the @drift-labs/sdk changelog for versions 2.110.0 through 2.129.0 to identify breaking changes
2. Test the drift functionality to ensure compatibility with the new version
3. Verify that all exported APIs used in the codebase are still available and function correctly

[Copilot]

This is a very large version jump from 0.3.29 to 0.9.90, covering a substantial number of minor versions (0.4.x through 0.9.x). Given semantic versioning conventions, this likely includes breaking changes and significant new features.

Key concerns:

1. The jump crosses many intermediate minor versions, each of which could contain breaking changes
2. The codebase imports multiple functions from this package (IDL, VAULT_PROGRAM_ID, VaultClient, WithdrawUnit, decodeName, encodeName, getVaultAddressSync, getVaultDepositorAddressSync) in src/tools/drift/drift.ts and src/tools/drift/drift_vault.ts
3. Without the updated pnpm-lock.yaml, you cannot verify what version of @drift-labs/sdk this package will pull in as a dependency (the examples show it has its own drift-labs/sdk peer dependency)

Before merging, you should:

1. Review the @drift-labs/vaults-sdk changelog for versions 0.4.0 through 0.9.90 to identify breaking changes
2. Test all vault-related functionality to ensure compatibility
3. Verify that the vault SDK's dependency on @drift-labs/sdk is compatible with the version specified in package.json (2.129.0)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	form-data@​4.0.1
	axios@​1.7.9
	husky@​9.1.7
	@​solutiofi/​sdk@​1.0.2
	@​cks-systems/​manifest-sdk@​0.1.59
	@​tiplink/​api@​0.3.1
	@​metaplex-foundation/​umi-options@​1.0.0
	@​metaplex-foundation/​umi-uploader-irys@​1.0.0
	@​types/​bn.js@​5.1.6
	ethers@​6.13.5
	@​meteora-ag/​alpha-vault@​1.1.7
	@​types/​chai@​5.0.1
	@​3land/​listings-sdk@​0.0.7
	@​modelcontextprotocol/​sdk@​1.26.0 ⏵ 1.5.0	+1	-21		+1
	@​typescript-eslint/​eslint-plugin@​8.19.0
	@​voltr/​vault-sdk@​0.1.1
	@​types/​node@​20.12.12 ⏵ 22.10.7	+1		+1
	@​tensor-oss/​tensorswap-sdk@​4.5.0
	@​ai-sdk/​openai@​1.0.11
	flash-sdk@​2.24.3
	@​orca-so/​whirlpools-sdk@​0.13.12 ⏵ 0.13.13	+1		-1	+2
	@​sqds/​multisig@​2.1.3
	langchain@​0.3.9
	@​langchain/​core@​0.3.26 ⏵ 0.3.27	+1		+1	+1
	@​alloralabs/​allora-sdk@​0.1.0
	@​metaplex-foundation/​digital-asset-standard-api@​1.0.4
	@​mercurial-finance/​dynamic-amm-sdk@​1.1.23
	@​pythnetwork/​hermes-client@​1.3.0
	@​drift-labs/​vaults-sdk@​0.3.29
	eslint-plugin-prettier@​5.2.1 ⏵ 5.2.2	+1
	@​mayanfinance/​swap-sdk@​9.8.0
	@​openzeppelin/​contracts@​5.2.0
	@​switchboard-xyz/​common@​2.5.15
See 5 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Malicious package: npm fs Note: Malicious code in fs (npm) The package fs was found to contain malicious code. From: pnpm-lock.yaml → npm/flash-sdk@2.24.3 → npm/@3land/listings-sdk@0.0.7 → npm/fs@0.0.1-security ℹ Read more on: This package | This alert | What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs@0.0.1-security. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: pnpm-lock.yaml → npm/@3land/listings-sdk@0.0.7 → npm/@metaplex-foundation/umi-uploader-irys@1.0.0 → npm/@drift-labs/vaults-sdk@0.3.29 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: pnpm-lock.yaml → npm/@drift-labs/vaults-sdk@0.3.29 → npm/form-data@4.0.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: package.json → npm/form-data@4.0.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Server-Side Request Forgery in npm parse-url CVE: GHSA-7f3x-x4pr-wqhj Server-Side Request Forgery in parse-url (CRITICAL) Affected versions: < 6.0.1 Patched version: 6.0.1 From: pnpm-lock.yaml → npm/@metaplex-foundation/digital-asset-standard-api@1.0.4 → npm/parse-url@1.3.11 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/parse-url@1.3.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/npm parse-url CVE: GHSA-j9fq-vwqv-2fm2 Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url (CRITICAL) Affected versions: < 8.1.0 Patched version: 8.1.0 From: pnpm-lock.yaml → npm/@metaplex-foundation/digital-asset-standard-api@1.0.4 → npm/parse-url@1.3.11 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/parse-url@1.3.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos CVE: GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos (CRITICAL) Affected versions: >= 3.0.10 < 3.1.3 Patched version: 3.1.3 From: pnpm-lock.yaml → npm/@3land/listings-sdk@0.0.7 → npm/@drift-labs/vaults-sdk@0.3.29 → npm/pbkdf2@3.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 silently disregards Uint8Array input, returning static keys CVE: GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys (CRITICAL) Affected versions: >= 1.0.0 < 3.1.3 Patched version: 3.1.3 From: pnpm-lock.yaml → npm/@3land/listings-sdk@0.0.7 → npm/@drift-labs/vaults-sdk@0.3.29 → npm/pbkdf2@3.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Protestware or unwanted behavior: npm fs Note: You don’t need to install the fs package from npm. Node.js comes with fs (the filesystem module) built in — there’s no need to install anything. Just use require(‘fs’) or import fs from ‘fs’, and Node will handle it. The fs@0.0.1-security package you’re seeing was published by the npm security team as a placeholder to block misuse of the package name. It’s not malware, but it’s also not something you should have in your project. It doesn’t do anything and can be safely uninstalled. What to do: Run npm uninstall fs (or yarn remove fs) Don’t worry — this won’t break your code If you see this package in your dependencies, it likely got installed by mistake or misunderstanding. From: pnpm-lock.yaml → npm/flash-sdk@2.24.3 → npm/@3land/listings-sdk@0.0.7 → npm/fs@0.0.1-security ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs@0.0.1-security. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/markdown-it@14.1.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report