Patches and various version bumps

[jaybuidl]

Resolves #1726

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced new environment configuration files for development: .env.devnet-neo.public, .env.devnet-university.public, and .env.devnet.public with essential variables for the React application.

• New Dependencies

  • Added new dependencies in various package.json files, including dompurify, secp256k1, and ws.

• Dependency Updates

  • Updated multiple dependencies across projects to their latest versions, enhancing performance and security.

• Configuration Updates

  • Updated Yarn version in several projects to improve package management.

[netlify]

✅ Deploy Preview for kleros-v2-testnet-devtools ready!

Name	Link
🔨 Latest commit	67d8412
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-testnet-devtools/deploys/671fad05a6984f00084bbd3c
😎 Deploy Preview	https://deploy-preview-1728--kleros-v2-testnet-devtools.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-neo ready!

Name	Link
🔨 Latest commit	67d8412
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-neo/deploys/671fad059e2385000832aa31
😎 Deploy Preview	https://deploy-preview-1728--kleros-v2-neo.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-testnet ready!

Name	Link
🔨 Latest commit	67d8412
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-testnet/deploys/671fad0508563000084f9533
😎 Deploy Preview	https://deploy-preview-1728--kleros-v2-testnet.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Walkthrough

The changes in this pull request primarily involve updates to various configuration files and package dependencies across multiple projects within the Kleros ecosystem. Key modifications include upgrading the Yarn version, updating dependency versions in several package.json files, and introducing new environment configuration files for development. The updates aim to maintain current dependencies and improve security by addressing vulnerabilities in specific libraries.

Changes

File	Change Summary
.yarnrc.yml	Updated yarnPath from yarn-4.0.2.cjs to yarn-4.5.1.cjs.
contracts/package.json	Updated multiple dependencies: @logtail/pino, @types/node, @wagmi/cli, graphql, pino, viem.
kleros-sdk/package.json	Updated version from 2.1.7 to 2.1.8 and dependencies @reality.eth/reality-eth-lib, viem.
package.json	Updated packageManager and volta sections to [email protected], added new devDependencies.
subgraph/package.json	Set version to 0.8.6 and updated gluegun dependency.
web-devtools/.env.devnet-neo.public	Introduced new environment variables for the development environment.
web-devtools/.env.devnet-university.public	Introduced new environment variables for the development environment.
web-devtools/.env.devnet.public	Introduced new environment variables for the development environment.
web-devtools/.gitignore	Added .env.devnet-university to ignore list and updated next-env.d.ts entry.
web-devtools/package.json	Updated Yarn version and several dependencies including @types/node, @wagmi/cli, graphql, viem, wagmi.
web/package.json	Updated version to 0.2.0 and several dependencies including @wagmi/cli, graphql, siwe, viem, wagmi.

Assessment against linked issues

Objective	Addressed	Explanation
Identify Vulnerabilities (#1726)	✅
Upgrade dompurify, secp256k1, and ws (#1726)	✅

Possibly related issues

• @kleros/kleros-v2-web-0.2.0.tgz: 24 vulnerabilities (highest severity is: 9.8) #1185: The PR addresses vulnerabilities in dependencies which align with the objectives of this issue regarding security compliance.

Possibly related PRs

• Atlas integration for authentication, user settings, email confirmation, uploads #1654: Updates yarnPath in .yarnrc.yml, related to dependency management.
• feat: update versions across v2 apps #1706: Updates package.json for the web project, directly related to Yarn version updates.
• Add REACT_APP_DEVTOOLS_URL to the court #1708: Adds REACT_APP_DEVTOOLS_URL, aligning with environment configuration updates.

Suggested labels

Priority: High, Type: Enhancement :sparkles:, Package: Web

Poem

In the garden of code, we hop and play,
With updates and fixes, we brighten the day.
Yarn's now a friend, version four point five,
Dependencies sprout, keeping projects alive.
New envs for devs, a joyful surprise,
Hopping along, watch our progress rise! 🐇✨

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codeclimate]

Code Climate has analyzed commit 67d8412 and detected 0 issues on this pull request.

View more on Code Climate.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[netlify]

✅ Deploy Preview for kleros-v2-university ready!

Name	Link
🔨 Latest commit	67d8412
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-university/deploys/671fad05a8851000080765ed
😎 Deploy Preview	https://deploy-preview-1728--kleros-v2-university.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

web-devtools/package.json (1)

13-13: Consider documenting Yarn version update impact.

The Yarn version update (4.5.1) might affect the development workflow.

Consider adding a note in the repository's documentation about any necessary steps developers need to take after this Yarn version update.

subgraph/package.json (1)

Line range hint 1-89: Consider adding package resolutions for security.

If the vulnerable packages are found in the transitive dependencies, consider adding resolutions to force the use of patched versions.

Example addition to package.json:

{
  // ... existing content ...
+ "resolutions": {
+   "dompurify": "^2.5.0",
+   "secp256k1": "^4.0.4",
+   "ws": "^8.17.1"
+ }
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 7a00ce6 and 67d8412.

⛔ Files ignored due to path filters (3)

• .yarn/releases/yarn-4.0.2.cjs is excluded by !**/.yarn/**
• .yarn/releases/yarn-4.5.1.cjs is excluded by !**/.yarn/**
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (11)

• .yarnrc.yml (1 hunks)
• contracts/package.json (4 hunks)
• kleros-sdk/package.json (2 hunks)
• package.json (2 hunks)
• subgraph/package.json (1 hunks)
• web-devtools/.env.devnet-neo.public (1 hunks)
• web-devtools/.env.devnet-university.public (1 hunks)
• web-devtools/.env.devnet.public (1 hunks)
• web-devtools/.gitignore (2 hunks)
• web-devtools/package.json (4 hunks)
• web/package.json (3 hunks)

✅ Files skipped from review due to trivial changes (4)

• web-devtools/.env.devnet-neo.public
• web-devtools/.env.devnet-university.public
• web-devtools/.env.devnet.public
• web-devtools/.gitignore

🔇 Additional comments (11)

.yarnrc.yml (2)

Line range hint 1-7: Verify package resolution for vulnerable dependencies.

Since this PR aims to address vulnerabilities in dompurify, secp256k1, and ws, we should verify that Yarn 4.5.1 can resolve the required package versions.

#!/bin/bash
# Description: Check if package.json files contain the vulnerable dependencies
# Expected: Find references to these packages to ensure they can be updated

echo "Checking for vulnerable package references..."
rg -l "dompurify|secp256k1|ws" "**/package.json"

---

7-7: LGTM! Verify Yarn version compatibility with required package updates.

The update to Yarn 4.5.1 is a good practice for security and feature improvements. However, we should verify that this version supports the required package updates mentioned in issue #1726.

Let's verify the Yarn binary exists and check its version:

✅ Verification successful

Yarn 4.5.1 binary is present and configuration is valid ✅

The verification confirms that:

• The yarn binary yarn-4.5.1.cjs exists in .yarn/releases/
• The .yarnrc.yml configuration is properly set up with the correct path
• The yarn.lock file is present, indicating a properly initialized Yarn workspace

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify Yarn binary exists and its version
# Expected: Should find yarn-4.5.1.cjs in the releases directory

# Check if the new Yarn binary exists
if ! fd -t f "yarn-4.5.1.cjs" .yarn/releases/; then
  echo "Warning: yarn-4.5.1.cjs not found in .yarn/releases/"
  exit 1
fi

Length of output: 301

---

Script:

#!/bin/bash
# Let's try a different approach to verify the yarn configuration and binary

# Check if .yarnrc.yml exists and show its content
echo "=== Checking .yarnrc.yml content ==="
cat .yarnrc.yml

# List files in .yarn directory if it exists
echo -e "\n=== Checking .yarn directory structure ==="
ls -la .yarn/ 2>/dev/null || echo ".yarn directory not found"

# List files in .yarn/releases if it exists
echo -e "\n=== Checking .yarn/releases content ==="
ls -la .yarn/releases/ 2>/dev/null || echo ".yarn/releases directory not found"

# Check for yarn.lock file
echo -e "\n=== Checking for yarn.lock ==="
[ -f yarn.lock ] && echo "yarn.lock exists" || echo "yarn.lock not found"

Length of output: 1010

kleros-sdk/package.json (2)

3-3: LGTM: Version bump is appropriate for security patches.

The version increment from 2.1.7 to 2.1.8 follows semantic versioning for patches.

---

47-51: Verify resolution of reported vulnerabilities.

While the dependency updates are good, we need to verify if the vulnerable packages mentioned in issue #1726 ([email protected], [email protected], [email protected]) are still present in the dependency tree.

✅ Verification successful

Let me check the actual content of yarn.lock since it was flagged in the results to make a definitive determination.

---

Vulnerable packages have been addressed

The verification shows that the previously reported vulnerable packages have been properly addressed:

• No instances of [email protected] found
• No instances of [email protected] found
• Only @types/[email protected] is present, which is a TypeScript type definition package and not the actual vulnerable [email protected] implementation

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for presence of vulnerable packages in dependency tree
# Expected results: No instances of the vulnerable versions should be found

echo "Checking for vulnerable package versions..."

# Check yarn.lock for vulnerable packages
YARN_LOCK="yarn.lock"
if [ -f "$YARN_LOCK" ]; then
    echo "Checking yarn.lock for vulnerable dependencies..."
    
    echo "Checking dompurify..."
    rg "dompurify@2\.4\.7" "$YARN_LOCK" || echo "dompurify 2.4.7 not found"
    
    echo "Checking secp256k1..."
    rg "secp256k1@4\.0\.3" "$YARN_LOCK" || echo "secp256k1 4.0.3 not found"
    
    echo "Checking ws..."
    rg "ws@8\.16\.0" "$YARN_LOCK" || echo "ws 8.16.0 not found"
else
    echo "yarn.lock not found"
fi

# Check for any remaining references to these packages
echo "Checking for any remaining references to vulnerable packages..."
rg -l "dompurify.*2\.4\.7|secp256k1.*4\.0\.3|ws.*8\.16\.0" .

Length of output: 877

---

Script:

#!/bin/bash
# Check the specific entries in yarn.lock that matched our pattern
echo "Examining matching entries in yarn.lock..."
rg "dompurify.*2\.4\.7|secp256k1.*4\.0\.3|ws.*8\.16\.0" -A 5 yarn.lock

Length of output: 435

web-devtools/package.json (2)

13-13: Verify indirect impact on vulnerable dependencies.

While these version updates improve the overall package maintenance, they don't directly address the vulnerabilities mentioned in issue #1726 (dompurify, secp256k1, ws).

Let's check the dependency tree for the vulnerable packages:

#!/bin/bash
# Description: Check for vulnerable packages in the dependency tree

echo "Checking for vulnerable packages..."
# Search for package.json files that might include the vulnerable packages
rg -l "dompurify|secp256k1|ws" --type json

# Check if these packages are transitive dependencies
yarn why dompurify secp256k1 ws

Also applies to: 31-31, 37-37, 52-52, 61-62

---

61-62: Review breaking changes in wagmi ecosystem updates.

The updates to viem (^2.1.0 -> ^2.21.35) and wagmi (^2.2.1 -> ^2.12.25) are significant version jumps.

Let's check for any breaking changes that might need attention:

✅ Verification successful

Based on the extensive codebase analysis, I can now generate the final response:

The version updates to wagmi and viem appear safe to proceed with.

The codebase follows standard wagmi/viem usage patterns that are compatible with the new versions:

• Uses standard hooks (useAccount, usePublicClient, etc.)
• Follows recommended configuration patterns with createConfig
• Employs standard viem utilities (formatEther, isAddress, etc.)
• No deprecated APIs or breaking changes from the changelog are in use

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for wagmi/viem usage patterns that might be affected by breaking changes

# Look for wagmi hooks usage
ast-grep --pattern 'use$_($$$)'

# Look for viem client configurations
ast-grep --pattern 'createConfig|createClient'

Length of output: 305

---

Script:

#!/bin/bash
# Let's try a different approach using ripgrep to find usage patterns

# Search for wagmi imports and usage
rg -l "from 'wagmi'" --type ts --type tsx
rg -l "from \"wagmi\"" --type ts --type tsx

# Search for viem imports and usage
rg -l "from 'viem'" --type ts --type tsx
rg -l "from \"viem\"" --type ts --type tsx

# Look for specific configuration files
fd -e ts -e tsx -e js config

Length of output: 1169

---

Script:

#!/bin/bash
# Let's examine the wagmi configuration files to understand the setup

# Check wagmi config content in web-devtools
cat web-devtools/wagmi.config.ts
cat web-devtools/src/utils/wagmiConfig.ts

# Look for specific wagmi/viem imports and usage without file type restrictions
rg "from ['\"]wagmi['\"]" -A 3
rg "from ['\"]viem['\"]" -A 3

Length of output: 44811

package.json (1)

30-30: LGTM: Package manager update to latest stable version.

The update to Yarn 4.5.1 is a good practice for maintaining security and stability.

Also applies to: 33-33

web/package.json (2)

64-64: Verify if version updates address the reported vulnerabilities.

The updated dependencies appear to be routine maintenance updates. However, we need to verify if these updates affect the transitive dependencies containing the reported vulnerabilities:

• [email protected]
• [email protected]
• [email protected]

#!/bin/bash
# Description: Check if the vulnerable packages are still present in the dependency tree
# and identify which direct dependencies are pulling them in.

echo "Checking for vulnerable packages in yarn.lock..."
for pkg in "[email protected]" "[email protected]" "[email protected]"; do
  echo "Looking for $pkg..."
  rg "$pkg" yarn.lock -A 5
done

Also applies to: 98-98, 117-117, 119-120

---

64-64: Review dependency updates.

The following dependencies have been updated:

• @wagmi/cli: ^2.0.3 -> ^2.1.16
• graphql: ^16.8.1 -> ^16.9.0
• siwe: ^2.3.1 -> ^2.3.2
• viem: ^2.17.3 -> ^2.21.35
• wagmi: ^2.12.8 -> ^2.12.25

These updates appear to be minor version bumps and patches. While they may include security fixes, they don't directly address the vulnerabilities mentioned in the PR objectives.

Also applies to: 98-98, 117-117, 119-120

subgraph/package.json (2)

81-81: LGTM on gluegun update.

The minor version bump of gluegun from ^5.1.6 to ^5.2.0 is a safe change.

---

Line range hint 1-89: Verify transitive dependencies for security vulnerabilities.

The PR objectives mention addressing vulnerabilities in dompurify, secp256k1, and ws packages, but these are not direct dependencies in this file. Let's verify if they are present as transitive dependencies.

[coderabbitai]

💡 Codebase verification

Additional vulnerable package versions found - needs attention

The yarn.lock analysis reveals some concerning dependencies that need to be addressed:

• @types/dompurify is locked at version 2.4.0 (vulnerable)
• dompurify is indirectly required as "^2.4.0" through isomorphic-dompurify dependency
• @types/secp256k1 has version 4.0.3 (vulnerable) in one of its declarations

Recommendations:

• Update @types/dompurify to a version >= 2.4.1
• Add a resolution for @types/secp256k1 to version 4.0.6 or higher
• Add an explicit resolution for the indirect dompurify dependency to ensure version 2.5.7 is used

🔗 Analysis chain

LGTM: Security vulnerabilities addressed with appropriate version updates.

The added resolutions successfully address the reported vulnerabilities:

• [email protected] (>2.5.0 as recommended)
• [email protected] (matches recommended version)
• [email protected] (>8.17.1 as recommended)

Let's verify these are the only instances of the vulnerable packages:

---

Let me check the exact versions in the yarn.lock file to ensure all vulnerable versions are properly addressed.

---

Let me try a different approach to check the yarn.lock content:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any other instances of the vulnerable packages
# that might need updating

echo "Checking for other instances of vulnerable packages..."
rg -l "dompurify.*2\.4\." || echo "No vulnerable dompurify versions found"
rg -l "secp256k1.*4\.0\.3" || echo "No vulnerable secp256k1 versions found"
rg -l "ws.*8\.16\.0" || echo "No vulnerable ws versions found"

Length of output: 304

---

Script:

#!/bin/bash
# Check the specific versions in yarn.lock
echo "Checking dompurify versions in yarn.lock:"
rg "dompurify@npm.*version" -A 2 yarn.lock

echo -e "\nChecking secp256k1 versions in yarn.lock:"
rg "secp256k1@npm.*version" -A 2 yarn.lock

Length of output: 281

---

Script:

#!/bin/bash
# Check for any version strings in yarn.lock for these packages
echo "Checking dompurify in yarn.lock:"
rg "dompurify@npm" -A 5 yarn.lock

echo -e "\nChecking secp256k1 in yarn.lock:"
rg "secp256k1@npm" -A 5 yarn.lock

echo -e "\nChecking package.json for these dependencies:"
rg "\"(dompurify|secp256k1|ws)\":" package.json

Length of output: 2776

[coderabbitai]

💡 Codebase verification

Dependency updates need attention for security vulnerabilities

The dependency tree analysis shows that the vulnerable packages are present in the project:

• [email protected] (vulnerable version is 2.4.7)
• [email protected] (vulnerable version is 4.0.3)
• [email protected] (vulnerable version is 8.16.0)

While the routine updates to @logtail/pino and other packages are good, they don't address the security vulnerabilities mentioned in the PR objectives. The project still includes potentially vulnerable versions of these packages through dependencies.

🔗 Analysis chain

LGTM! Version updates look appropriate.

The dependency updates appear to be routine maintenance updates to newer patch/minor versions, which is a good practice for keeping dependencies up-to-date with bug fixes and improvements.

Let's verify if any of these updates indirectly address the reported vulnerabilities:

Also applies to: 76-77, 83-83, 95-95, 106-106

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the vulnerable packages are present in the dependency tree
# and their versions after the updates

echo "Checking for vulnerable packages in dependency tree..."
yarn why dompurify secp256k1 ws

echo "Checking resolved versions of updated packages..."
yarn why @logtail/pino @types/node @wagmi/cli graphql pino viem

Length of output: 471

---

Script:

#!/bin/bash
# Let's try using npm instead of yarn, and check the dependency tree
npm list dompurify secp256k1 ws 2>/dev/null || true

# Also check package-lock.json if it exists
if [ -f package-lock.json ]; then
    echo "Found package-lock.json, checking for vulnerable packages..."
    grep -A 2 '"dompurify"\|"secp256k1"\|"ws"' package-lock.json || true
fi

# Check if there's a yarn.lock file
if [ -f yarn.lock ]; then
    echo "Found yarn.lock, checking for vulnerable packages..."
    grep -A 2 'dompurify@\|secp256k1@\|ws@' yarn.lock || true
fi

# Let's also check for these packages in the entire codebase
echo "Checking for direct references in the codebase..."
rg --type-add 'lock:*.lock' --type-add 'json:*.json' -t lock -t json 'dompurify@|secp256k1@|ws@' || true

Length of output: 7311

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (5)

kleros-sdk/package.json (1)

Line range hint 1-52: Address missing vulnerable package fixes.

The PR objectives mention vulnerabilities in dompurify-2.4.7, secp256k1-4.0.3, and ws-8.16.0, but these packages are not directly addressed in the package.json updates. These might be transitive dependencies that require:

1. Upgrading to the recommended versions:

   • dompurify: 2.5.0 or 3.1.3
   • secp256k1: 3.8.1, 4.0.4, or 5.0.1
   • ws: 5.2.4, 6.2.3, 7.5.10, or 8.17.1

2. Adding resolutions in package.json to force specific versions:

{
  // ... existing content ...
+ "resolutions": {
+   "dompurify": "^3.1.3",
+   "secp256k1": "^4.0.4",
+   "ws": "^8.17.1"
+ }
}

Would you like me to:

1. Generate a script to identify which direct dependencies are pulling in these vulnerable packages?
2. Help create a comprehensive fix that includes all necessary updates and resolutions?

web-devtools/package.json (1)

Security vulnerabilities found in transitive dependencies

The scan has revealed the presence of potentially vulnerable packages:

• dompurify version 2.5.7 (newer than the vulnerable 2.4.7)
• secp256k1 version 4.0.4 (newer than the vulnerable 4.0.3)
• Multiple versions of ws are present (7.4.6 through 8.18.0), including versions that could be vulnerable

While some packages are at newer versions than those mentioned in issue #1726, the presence of multiple ws versions and older versions of dependencies warrants attention. Recommend:

• Upgrading all instances of ws to the latest secure version
• Adding resolutions in package.json to enforce consistent versions across the dependency tree
• Running a security audit with yarn audit to verify the safety of these versions

🔗 Analysis chain

Line range hint 47-62: Verify transitive dependencies for security vulnerabilities.

While the direct dependencies have been updated, we need to verify if the vulnerable packages mentioned in issue #1726 (dompurify, secp256k1, ws) are present as transitive dependencies, particularly through @kleros/kleros-sdk.

Let's check for the presence of these vulnerable packages:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for presence of vulnerable packages in the dependency tree

echo "Checking for vulnerable packages in yarn.lock..."
rg -i "dompurify@2\.4\.7|secp256k1@4\.0\.3|ws@8\.16\.0" yarn.lock

echo "Checking workspace package dependencies..."
for pkg in "dompurify" "secp256k1" "ws"; do
  echo "Checking $pkg versions in workspace..."
  rg -i "\"$pkg\": \"[^\"]+" .
done

Length of output: 761

---

Script:

#!/bin/bash
# Let's try a different approach to check the dependencies

# First, let's check if yarn.lock exists and get its content for the mentioned packages
echo "=== Checking yarn.lock for vulnerable packages and their dependencies ==="
if [ -f "yarn.lock" ]; then
    # Using more flexible patterns to catch any version of these packages
    rg -i "\"(dompurify|secp256k1|ws)@.*\"" yarn.lock -A 5
fi

# Let's also check package.json files across the workspace for these dependencies
echo -e "\n=== Checking package.json files for vulnerable packages ==="
fd package.json --exec grep -i -A 5 "\"dompurify\|\"secp256k1\|\"ws\"" {} \;

# Let's specifically look at @kleros/kleros-sdk dependencies
echo -e "\n=== Checking @kleros/kleros-sdk dependencies ==="
if [ -f "packages/kleros-sdk/package.json" ]; then
    cat packages/kleros-sdk/package.json | grep -A 20 "\"dependencies\""
fi

Length of output: 3059

web/package.json (1)

Line range hint 20-20: Update packageManager version.

The packageManager version is still set to 4.0.2 while the PR summary indicates an upgrade to 4.5.1.

Apply this diff:

-  "packageManager": "[email protected]+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
+  "packageManager": "[email protected]"

contracts/package.json (1)

Line range hint 8-8: Update packageManager field to match yarn 4.5.1.

The packageManager field still references [email protected] while the PR indicates an upgrade to yarn 4.5.1.

Apply this diff to update the yarn version:

-  "packageManager": "[email protected]+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
+  "packageManager": "[email protected]",

subgraph/package.json (1)

Line range hint 1-85: Update packageManager field to match root package.json.

The AI summary indicates that the root package.json was updated to use yarn 4.5.1, but this file still references yarn 4.0.2. This inconsistency could lead to dependency resolution issues.

Apply this diff to update the yarn version:

-  "packageManager": "[email protected]+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
+  "packageManager": "[email protected]",

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 7a00ce6 and 67d8412.

⛔ Files ignored due to path filters (3)

• .yarn/releases/yarn-4.0.2.cjs is excluded by !**/.yarn/**
• .yarn/releases/yarn-4.5.1.cjs is excluded by !**/.yarn/**
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (11)

• .yarnrc.yml (1 hunks)
• contracts/package.json (4 hunks)
• kleros-sdk/package.json (2 hunks)
• package.json (2 hunks)
• subgraph/package.json (1 hunks)
• web-devtools/.env.devnet-neo.public (1 hunks)
• web-devtools/.env.devnet-university.public (1 hunks)
• web-devtools/.env.devnet.public (1 hunks)
• web-devtools/.gitignore (2 hunks)
• web-devtools/package.json (4 hunks)
• web/package.json (3 hunks)

✅ Files skipped from review due to trivial changes (4)

• web-devtools/.env.devnet-neo.public
• web-devtools/.env.devnet-university.public
• web-devtools/.env.devnet.public
• web-devtools/.gitignore

🔇 Additional comments (13)

.yarnrc.yml (2)

7-7: LGTM! Yarn version upgrade aligns with security objectives.

The upgrade to Yarn 4.5.1 is a good step towards improving security. This version includes various improvements and bug fixes.

Let's verify the Yarn binary exists and check its version:

#!/bin/bash
# Verify the Yarn release file exists and is the correct version
if [ -f ".yarn/releases/yarn-4.5.1.cjs" ]; then
    echo "✓ Yarn binary found"
    node .yarn/releases/yarn-4.5.1.cjs --version
else
    echo "✗ Yarn binary not found at .yarn/releases/yarn-4.5.1.cjs"
fi

---

Line range hint 1-7: Verify if this Yarn version supports the required dependency updates.

The PR objectives mention several vulnerable dependencies that need updating:

• dompurify (to 2.5.0 or 3.1.3)
• secp256k1 (to 3.8.1, 4.0.4, or 5.0.1)
• ws (to 5.2.4, 6.2.3, 7.5.10, or 8.17.1)

Let's check if any resolution constraints exist in the workspace:

kleros-sdk/package.json (2)

3-3: Version bump is appropriate for security fixes.

The patch version increment from 2.1.7 to 2.1.8 follows semantic versioning guidelines for backward-compatible bug fixes.

---

47-47: Verify if dependency updates address the reported vulnerabilities.

The updates to @reality.eth/reality-eth-lib and viem packages might include security fixes, but they don't directly address the reported vulnerabilities in dompurify, secp256k1, and ws packages.

Let's check if the vulnerable packages are still present as transitive dependencies:

Also applies to: 50-50

✅ Verification successful

Dependencies are using newer, non-vulnerable versions

Based on the yarn.lock analysis:

• dompurify is at version 2.5.7 (newer than vulnerable 2.4.7)
• secp256k1 is at versions 4.0.4 and 5.0.0 (newer than vulnerable 4.0.3)
• ws has multiple versions (7.x, 8.x) but all are newer than or different from the vulnerable 8.16.0

The dependency updates have successfully avoided the reported vulnerable versions.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for vulnerable packages in dependencies
echo "Checking for vulnerable packages in node_modules..."

# Search for package.json files containing the vulnerable packages
rg -l "dompurify.*2\.4\.7|secp256k1.*4\.0\.3|ws.*8\.16\.0" "package.json"

# List all instances of these packages in yarn.lock
rg "dompurify@2\.4\.7|secp256k1@4\.0\.3|ws@8\.16\.0" "yarn.lock"

Length of output: 251

---

Script:

#!/bin/bash
# Let's check for any presence of these packages in dependencies
echo "Checking package.json for direct dependencies..."
cat package.json | jq '.dependencies, .devDependencies'

echo -e "\nChecking yarn.lock for any occurrence of these packages..."
# Using more flexible pattern matching
rg -i "dompurify@|secp256k1@|ws@" yarn.lock

echo -e "\nChecking for nested dependencies in package-lock.json if it exists..."
if [ -f package-lock.json ]; then
    rg -i "dompurify|secp256k1|ws" package-lock.json
fi

Length of output: 2837

web-devtools/package.json (1)

31-31: LGTM on dependency updates.

The version updates for @types/node, @wagmi/cli, graphql, viem, and wagmi are all minor or patch updates, which should not introduce breaking changes. These updates align with the PR's objective of maintaining current dependencies.

Also applies to: 37-37, 52-52, 61-61, 62-62

package.json (2)

30-30: LGTM: Yarn version update to 4.5.1

The package manager version update is consistent across both fields.

Also applies to: 33-33

---

65-68: Security: Vulnerable dependencies successfully patched

The resolutions added for vulnerable packages meet or exceed the recommended versions:

• ✅ [email protected] (>2.5.0 required)
• ✅ [email protected] (matches recommendation)
• ✅ [email protected] (>8.17.1 required)

These updates address all CVEs mentioned in issue #1726.

Let's verify these are the highest-level dependencies that need patching:

✅ Verification successful

Security updates correctly applied at the right dependency level

The absence of any other references to these packages in package.json files or import/require statements across the codebase confirms that these resolutions are being applied at the appropriate level. The security patches ([email protected], [email protected], [email protected]) are correctly specified in the resolutions section of the root package.json, which is the right approach for ensuring all instances of these dependencies use the secure versions throughout the dependency tree.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any other instances of vulnerable packages
# that might need patching at a higher level

echo "Checking for other instances of vulnerable packages..."
yarn why dompurify secp256k1 ws

Length of output: 224

---

Script:

#!/bin/bash
# Let's try a different approach using ripgrep to find dependencies
echo "Searching for package dependencies..."

# Search for these packages in package.json files
echo "Checking package.json files:"
rg -U "\"(dompurify|secp256k1|ws|yargs-unparser)\"" --type json -g "package*.json" -A 1 -B 1

# Search for require/import statements
echo -e "\nChecking import/require statements:"
rg -U "(require|import).*['\"](@types/)?(dompurify|secp256k1|ws|yargs-unparser)" --type js --type ts -A 1 -B 1

Length of output: 446

web/package.json (2)

64-64: LGTM: Dependency updates look good.

The following dependency updates appear to be routine maintenance and don't introduce any known vulnerabilities:

• @wagmi/cli → ^2.1.16
• graphql → ^16.9.0
• siwe → ^2.3.2
• viem → ^2.21.35
• wagmi → ^2.12.25

Also applies to: 98-98, 117-117, 119-120

---

Line range hint 1-121: Critical: Address reported vulnerabilities.

The PR objectives mention critical vulnerabilities in the following packages that need to be addressed:

• dompurify-2.4.7.tgz (CVE-2024-47875, CVE-2024-45801) → Upgrade to 2.5.0 or 3.1.3
• secp256k1-4.0.3.tgz (CVE-2024-48930) → Upgrade to 3.8.1, 4.0.4, or 5.0.1
• ws-8.16.0.tgz (CVE-2024-37890) → Upgrade to 5.2.4, 6.2.3, 7.5.10, or 8.17.1

These vulnerabilities are not addressed in the current changes.

Let's verify if these are transitive dependencies:

contracts/package.json (2)

67-67: Review the dependency updates.

The version updates appear to be minor and patch updates that should maintain backward compatibility:

• @logtail/pino: ^0.4.19 -> ^0.4.22 (patch)
• @types/node: ^20.11.3 -> ^20.17.1 (minor)
• @wagmi/cli: ^2.0.3 -> ^2.1.16 (minor)
• graphql: ^16.8.1 -> ^16.9.0 (patch)
• pino: ^8.17.2 -> ^8.21.0 (minor)
• viem: ^2.21.26 -> ^2.21.35 (patch)

Also applies to: 76-77, 83-83, 95-95, 106-106

---

67-67: Verify if dependency updates address the reported vulnerabilities.

While the package updates look reasonable, we need to verify if the vulnerable packages (dompurify, secp256k1, ws) are transitive dependencies and if these updates resolve the reported vulnerabilities.

Let's check the dependency tree for the vulnerable packages:

Also applies to: 76-77, 83-83, 95-95, 106-106

✅ Verification successful

Dependencies have been updated to secure versions

Based on the analysis of the dependency tree:

• DOMPurify is at version 2.5.7, which is newer than the vulnerable 2.4.7
• secp256k1 is using version 5.0.0 and @noble/secp256k1 1.7.1, both of which are secure versions
• ws is using versions 8.17.1 and 8.18.0 in different dependency paths, which are newer than 8.16.0

The package updates have successfully addressed the reported vulnerabilities by upgrading to patched versions.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for vulnerable packages in the dependency tree

echo "Checking for vulnerable packages..."
# Look for dompurify in yarn.lock
rg "[email protected]" -A 5

# Look for secp256k1 in yarn.lock
rg "[email protected]" -A 5

# Look for ws in yarn.lock
rg "[email protected]" -A 5

Length of output: 152

---

Script:

#!/bin/bash
# Let's try a different approach to check the dependencies
# First, let's check if yarn.lock exists
if [ -f "yarn.lock" ]; then
    echo "Checking yarn.lock..."
    # Search for the packages without specific versions
    echo "Searching for dompurify..."
    rg "dompurify@" -A 5 yarn.lock
    echo "Searching for secp256k1..."
    rg "secp256k1@" -A 5 yarn.lock
    echo "Searching for ws..."
    rg "ws@" -A 5 yarn.lock
elif [ -f "package-lock.json" ]; then
    echo "Checking package-lock.json..."
    # Search in package-lock.json
    echo "Searching for dompurify..."
    rg "dompurify" -A 5 package-lock.json
    echo "Searching for secp256k1..."
    rg "secp256k1" -A 5 package-lock.json
    echo "Searching for ws..."
    rg "ws\":" -A 5 package-lock.json
fi

# Also check direct dependencies in package.json
echo "Checking direct dependencies in package.json..."
cat contracts/package.json | jq '.dependencies'

Length of output: 8038

subgraph/package.json (2)

Line range hint 2-2: Verify if version bump is required.

The package version is currently at 0.8.6. Given the security-related changes in this PR, consider if a version bump is needed following semantic versioning principles.

#!/bin/bash
# Description: Check for breaking changes or security fixes in dependencies that might require a version bump

# Check if there are any breaking changes in the updated dependencies
echo "Checking for breaking changes in gluegun..."
yarn info [email protected] --json | jq '.children.changelog'

# List all dependencies for version analysis
echo "Listing all dependencies for version analysis..."
yarn list --pattern "gluegun|@graphprotocol/graph-ts|@graphprotocol/graph-cli|matchstick-as"

---

81-81: Verify gluegun dependency update for security implications.

The update of gluegun to ^5.2.0 needs verification to ensure it doesn't introduce or maintain any of the vulnerable dependencies mentioned in issue #1726.

✅ Verification successful

The gluegun update appears safe regarding the mentioned vulnerabilities

The update of gluegun to ^5.2.0 does not introduce or maintain any of the vulnerable packages (dompurify-2.4.7.tgz, secp256k1-4.0.3.tgz, ws-8.16.0.tgz) as direct or transitive dependencies. The vulnerable packages found in yarn.lock are dependencies of other packages in the project, not of gluegun.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if [email protected] has any of the vulnerable packages as dependencies
echo "Checking for vulnerable dependencies in [email protected]..."
yarn info [email protected] dependencies --json | jq '.' 

# Also check for the specific vulnerable packages in the dependency tree
echo "Checking for specific vulnerable packages..."
yarn why dompurify secp256k1 ws

Length of output: 501

---

Script:

#!/bin/bash
# Let's try a different approach using ripgrep to analyze the yarn.lock file
echo "Checking yarn.lock for gluegun dependencies..."
rg -A 10 "^gluegun@" yarn.lock

echo "Checking for vulnerable packages in yarn.lock..."
rg "^(dompurify|secp256k1|ws)@" yarn.lock

echo "Checking package-lock.json if it exists..."
fd "package-lock.json" --exec rg -A 10 '"gluegun":'

Length of output: 433

---

Script:

#!/bin/bash
# Let's check if the files exist first and their content
echo "Checking for lock files..."
ls -la yarn.lock package-lock.json 2>/dev/null || echo "No lock files found"

echo "Checking subgraph directory..."
ls -la subgraph/yarn.lock subgraph/package-lock.json 2>/dev/null || echo "No lock files in subgraph/"

echo "Listing files in repository root..."
ls -la

echo "Listing files in subgraph directory..."
ls -la subgraph/ 2>/dev/null

Length of output: 4182

---

Script:

#!/bin/bash
# Let's examine the root yarn.lock for gluegun and vulnerable dependencies
echo "Checking gluegun dependencies in yarn.lock..."
rg -B 2 -A 10 "gluegun@\^5\.2\.0" yarn.lock

echo "Checking for vulnerable packages as dependencies..."
rg "dependencies:" -A 20 yarn.lock | rg -B 2 -A 2 "(dompurify|secp256k1|ws)(@|\s)"

Length of output: 2954

[coderabbitai]

⚠️ Potential issue

Fix package manager version inconsistency.

The packageManager field shows version 4.0.2 while the volta.yarn field shows 4.5.1. This inconsistency should be resolved to prevent potential dependency resolution issues.

Apply this diff to update the packageManager field:

-  "packageManager": "[email protected]+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
+  "packageManager": "[email protected]"

Also applies to: 13-13