Skip to content

fix: resolve hashgraph vulnerability#8236

Merged
mrdanish26 merged 1 commit intomasterfrom
WP-8115
Mar 3, 2026
Merged

fix: resolve hashgraph vulnerability#8236
mrdanish26 merged 1 commit intomasterfrom
WP-8115

Conversation

@mrdanish26
Copy link
Contributor

@mrdanish26 mrdanish26 commented Mar 3, 2026
edited
Loading

TICKET: WP-8115

Vulnerability identified during the sdk release: https://github.com/BitGo/BitGoJS/actions/runs/22640101489/job/65613574496

Summary

  • Upgrade @hashgraph/proto from 2.12.0 to 2.22.0, which drops the
    protobufjs-cli dependency entirely, eliminating the transitive chain
    to the vulnerable [email protected] (CVE-2021-23358, GHSA-qpx9-hpmf-5gmw)
  • Bump long from ^4.0.0 to ^5.2.3 to unify on a single version across
    @hashgraph/sdk, @hashgraph/proto, and protobufjs, resolving potential
    instanceof failures from dual Long class versions at runtime
  • Update import * as Long from 'long' to import Long from 'long' in 5
    source files for long@5 ESM compatibility (esModuleInterop already enabled)

@mrdanish26 mrdanish26 marked this pull request as ready for review March 3, 2026 21:15
@mrdanish26 mrdanish26 requested review from a team as code owners March 3, 2026 21:15
@mrdanish26 mrdanish26 merged commit 838b4de into master Mar 3, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louib louib louib approved these changes

@lcovar lcovar lcovar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mrdanish26 @louib @lcovar