Summary
After running npm audit fix and npm audit fix --force, 10 vulnerabilities remain
that cannot be resolved automatically. These are in transitive dependencies with no
upstream fix available.
Audit Results
| Package |
Severity |
Issue |
Root Cause |
d3-color < 3.1.0 |
HIGH |
ReDoS (GHSA-36jr-mh4h-2g58) |
Via 0x → d3-fg → d3-zoom → d3-scale → d3-interpolate → d3-color |
elliptic * |
HIGH |
Risky crypto primitive (GHSA-848j-6mx2-7j84) |
Via crypto-browserify → browserify-sign / create-ecdh → elliptic |
Suggested Fixes
- Replace
0x profiler with clinic.js or node --prof — eliminates entire d3-color chain.
- Replace
crypto-browserify with Node.js native crypto (Node 18+) — eliminates elliptic chain.
Additional Finding
Hardcoded API key in packages/agent-booster/benchmarks/morph-benchmark.js:12:
const MORPH_API_KEY = 'sk-ifrAh8auI9Gkk2J_...'
Should be rotated and replaced with process.env.MORPH_API_KEY.
Environment
- Node.js 18+
- npm audit run on 2026-03-10
- Started with 30 vulnerabilities, resolved 20 via
npm audit fix --force
Thank you for the great project!
Summary
After running
npm audit fixandnpm audit fix --force, 10 vulnerabilities remainthat cannot be resolved automatically. These are in transitive dependencies with no
upstream fix available.
Audit Results
d3-color< 3.1.00x→d3-fg→d3-zoom→d3-scale→d3-interpolate→d3-colorelliptic*crypto-browserify→browserify-sign/create-ecdh→ellipticSuggested Fixes
0xprofiler withclinic.jsornode --prof— eliminates entire d3-color chain.crypto-browserifywith Node.js nativecrypto(Node 18+) — eliminates elliptic chain.Additional Finding
Hardcoded API key in
packages/agent-booster/benchmarks/morph-benchmark.js:12:Should be rotated and replaced with
process.env.MORPH_API_KEY.Environment
npm audit fix --forceThank you for the great project!