Fix dependency security alerts

[prabal-banerjee]

Summary

• Pin direct dependencies to minimum patched versions for reported alerts
• Add pnpm overrides for transitive advisory minimums
• Rebase onto current main and regenerate pnpm lockfile

Verification

• pnpm lint
• pnpm build

Notes

• pnpm audit --audit-level high still reports bigint-buffer via main's Wormhole/Solana dependency path; npm reports no patched version (<0.0.0), so there is no minimum patched version to pin.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bridge-ui	Ready	Preview, Comment	May 28, 2026 10:17am

[greptile-apps]

Greptile Summary

This PR addresses dependency security alerts by pinning axios and postcss to patched exact versions, adding an extensive pnpm.overrides block to force patched versions of ~50 transitive dependencies, and upgrading Next.js from 14.0.1 to 15.5.18. It also introduces a "use client" wrapper component (bridge-section-client.tsx) to satisfy Next 15's requirement that dynamic with ssr: false lives inside a Client Component boundary.

• Dependency security hardening: Direct pinning of axios@1.15.2 and postcss@8.5.10, plus pnpm overrides covering critical advisories (follow-redirects, elliptic, nanoid, webpack, ws, etc.) across the transitive graph.
• Next 15 migration: app/page.tsx is cleaned up to be a pure server component; the dynamic import is moved into a new bridge-section-client.tsx wrapper; next-env.d.ts gains the typed-routes reference for Next 15.
• .env.example updated: Empty placeholders replaced with actual turing/testnet values; eslint-config-next remains on 14.0.1 while next is now 15.5.18.

Confidence Score: 4/5

The security patching and Next 15 migration are sound; the main rough edges are the eslint-config-next version mismatch and the .env.example losing COINGECKO_API_KEY, neither of which blocks a correct production build.

The core work — dependency overrides, direct version pins, and the client-wrapper pattern — is correct and well-scoped. The eslint-config-next still at 14.0.1 while next is 15.5.18 means linting does not fully reflect the new framework version, and dropping COINGECKO_API_KEY from .env.example is a documentation gap that could silently affect developers setting up the project.

package.json (eslint-config-next mismatch) and .env.example (missing COINGECKO_API_KEY, NODE_ENV=test) deserve a quick pass before merging.

Important Files Changed

Filename	Overview
package.json	Upgrades next from 14.0.1 to 15.5.18, pins axios and postcss to exact versions, adds extensive pnpm overrides for transitive deps; eslint-config-next is still pinned to 14.0.1 while next is now 15.5.18 — a version mismatch that could cause missing or incorrect lint rules
.env.example	Replaced empty placeholders with actual turing/testnet URLs and contract addresses; missing COINGECKO_API_KEY that was in the old file; NODE_ENV=test hardcoded which is misleading for developers copying this for local use
components/sections/bridge-section-client.tsx	New 'use client' wrapper that hosts the dynamic import with ssr:false, correctly isolating browser-only bridge widget dependencies from the server component tree in Next 15
app/page.tsx	Replaced inline dynamic import with BridgeSectionClient — clean refactor, page becomes a proper server component
next-env.d.ts	Adds typed routes reference for Next 15 and updates doc link — auto-generated, no concerns
pnpm-lock.yaml	Lock file regenerated from v6 to v9 format reflecting the dependency upgrades and overrides; no direct concerns beyond verifying the overrides resolved correctly

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["app/page.tsx\n(Server Component)"] -->|"imports"| B["BridgeSectionClient\n(bridge-section-client.tsx)\n'use client'"]
    B -->|"next/dynamic ssr:false"| C["BridgeSection\n(bridgesection.tsx)\nbrowser-only widget"]
    
    subgraph "Next 15 SSR Boundary"
        A
    end
    subgraph "Client Boundary"
        B
        C
    end

Loading

_{Reviews (1): Last reviewed commit: "Fix dependency security alerts" | Re-trigger Greptile}

[greptile-apps]

eslint-config-next is still pinned to 14.0.1 while next has been upgraded to 15.5.18. The eslint-config-next package ships Next.js-specific lint rules (App Router patterns, image optimisation, script loading, etc.) that are versioned alongside the framework. Running with a v14 config against a v15 app means any rules added or changed in Next 15 are silently absent, so the pnpm lint pass mentioned in verification may not be catching everything it should.

Suggested change

	"eslint-config-next": "14.0.1",
	"eslint-config-next": "15.5.18",

[greptile-apps]

NODE_ENV in .env.example — Next.js actively overrides NODE_ENV at runtime (development for next dev, production for next build), so this value has no effect on the framework itself. However, other tools in the stack (Jest, testing libraries, some polyfill guards) do respect it unconditionally, so a developer who copies this file for local development and then runs non-Next scripts may get unexpected test-mode behaviour from those tools.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

The old .env.example included COINGECKO_API_KEY and NEXT_PUBLIC_CMC_API_URL; both are absent from the new version. If any server-side API route or service still references COINGECKO_API_KEY, a developer bootstrapping from the updated example will deploy without that variable set and get silent failures or unexpected undefined values at runtime.