Skip to content

feat: define sjcl type definitions#8324

Open
bitgoAaron wants to merge 1 commit intomasterfrom
aloe/fixSjclTypes
Open

feat: define sjcl type definitions#8324
bitgoAaron wants to merge 1 commit intomasterfrom
aloe/fixSjclTypes

Conversation

@bitgoAaron
Copy link
Contributor

@bitgoAaron bitgoAaron commented Mar 19, 2026
edited
Loading

Exception Type: CVE

Justification: High Severity CVE in flatted, patch available. High Severity CVE in sjcl, overrides to @bitgo/scjl fork.

Current Dependencies:

  • flatted@3.4.0
  • sjcl@1.0.8

Upgrade To:

  • flatted@3.4.2
  • @bitgo/sjcl (local fork override)

CVE Link:
GHSA-rf6f-7fwh-wjgh
GHSA-2w8x-224x-785m

TICKET: WP-8258

  • fix sjcl dependencies to use @bitgo/sjcl fork
  • define types for this package
  • set package overrides to this version, and upgrade flatted resolution

@bitgoAaron bitgoAaron force-pushed the aloe/fixSjclTypes branch 2 times, most recently from 8be9263 to 9b78015 Compare March 20, 2026 00:10
@bitgoAaron @hrishikeshjain
feat: define sjcl type definitions
7d29830 
fix sjcl dependencies to use @bitgo/sjcl fork
define types for this package
set package overrides to this version, and
ignore
upgrade flatted resolution

Ticket: WP-8258
@bitgoAaron bitgoAaron marked this pull request as ready for review March 20, 2026 12:50
@bitgoAaron bitgoAaron requested review from a team as code owners March 20, 2026 12:50
@bhargavirao24
Copy link

bhargavirao24 commented Mar 20, 2026

flatted@3.4.2 - Approved
Exception for CVE fix. SafeChain passed, Socket 90. Approving the PR.
Screenshot 2026-03-20 at 10 17 28 AM

@bitgo/sjcl - Conditionally approved
Approving this as an interim solution to unblock. Adding sjcl to the .yarn file means whitelisting a library we intended to remove. Security prefers not to add entries to the .yarn file..ideally it stays empty. This is low risk and we are safe to ignore for now, but it doesn't fully address the underlying concern. I see historical ticket (https://bitgoinc.atlassian.net/browse/WP-6408) to address this library and will discuss with the Wallets EM how we can remove this unmaintained cryptographic library, which has no patch available to fix.

Approving for now but follow-up required to address this underlying dependency issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OttoAllmendinger OttoAllmendinger OttoAllmendinger approved these changes

@deanhamilton11 deanhamilton11 deanhamilton11 approved these changes

@DinshawKothari DinshawKothari DinshawKothari approved these changes

@pranavjain97 pranavjain97 Awaiting requested review from pranavjain97 pranavjain97 is a code owner automatically assigned from BitGo/wallet-core

@kisslove-dewangan kisslove-dewangan Awaiting requested review from kisslove-dewangan kisslove-dewangan is a code owner automatically assigned from BitGo/wallet-core-india

+1 more reviewer

@bhargavirao24 bhargavirao24 bhargavirao24 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@deanhamilton11 deanhamilton11

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bitgoAaron @bhargavirao24 @OttoAllmendinger @deanhamilton11 @DinshawKothari