Skip to content

fix(deps): add sha.js resolution to fix SNYK-JS-SHAJS-12089400#607

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1777470479-fix-sha-js-cve
Open

fix(deps): add sha.js resolution to fix SNYK-JS-SHAJS-12089400#607
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1777470479-fix-sha-js-cve

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented Apr 29, 2026
edited
Loading

Summary

Adds a yarn resolution for sha.js to fix critical vulnerability SNYK-JS-SHAJS-12089400 (Function Call With Incorrect Argument Type, CVSS 9.8).

What changed:

  • Added "**/sha.js": "^2.4.12" to the resolutions field in package.json
  • Updated yarn.lock to resolve sha.js to version 2.4.12 (previously 2.4.11)

Why:
The vulnerable version sha.js@2.4.11 was pulled in transitively via @ngraveio/bc-ursha.js. The resolution forces all instances of sha.js across the dependency tree to resolve to >=2.4.12, which contains the fix.

Impact:

  • @ngraveio/bc-ur@1.1.13 (QR code hardware wallet communication) depends on sha.js@^2.4.11, which is satisfied by 2.4.12 — no breaking change expected.
  • No other dependencies are affected; sha.js@2.4.12 is a patch-level semver update.

Review & Testing Checklist for Human

  • Verify yarn install succeeds in CI and sha.js resolves to 2.4.12
  • Confirm QR-code hardware wallet flows (via @ngraveio/bc-ur) still function correctly
  • Run Snyk/security scan to confirm SNYK-JS-SHAJS-12089400 is resolved

Notes

  • yarn install could not complete locally due to a pre-existing 404 on react-native-tcp GitHub tarball (unrelated to this change). The yarn.lock was updated manually with the correct integrity hash from the npm registry.
  • The project uses yarn v1 with ignore-scripts true in .yarnrc.

Link to Devin session: https://app.devin.ai/sessions/bf60714f26b64bd7a95d0ef09407df98
Requested by: @abhay-codeium

Devin Review

Status Commit
⚪ Not started

💡 Connect your GitHub account to enable automatic code reviews.

Open in Devin Review (Staging)
Open in Devin Review

@devin-ai-integration @abhay-codeium
fix(deps): add sha.js resolution to fix SNYK-JS-SHAJS-12089400
20b9d93 
Add yarn resolution for sha.js ^2.4.12 to address critical vulnerability
SNYK-JS-SHAJS-12089400 (Function Call With Incorrect Argument Type, CVSS 9.8).

The vulnerable version 2.4.11 was pulled in transitively via
@ngraveio/bc-ur > sha.js. The resolution forces all instances of sha.js
to resolve to >=2.4.12.

Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Apr 29, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration[bot]
devin-ai-integration Bot commented Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@abhay-codeium abhay-codeium

Labels

No E2E Smoke Needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abhay-codeium