[Snyk] Security upgrade @solana/web3.js from 1.58.0 to 1.91.3

[kingjay66]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Improper Restriction of Operations within the Bounds of a Memory Buffer SNYK-JS-SOLANAWEB3JS-6647564	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @solana/web3.js

The new version differs by 250 commits.

• 77d9352 fix: bounds check
• 5b21c65 refactor(experimental): nit: rename define to describe (Add strings for NavigationBar on relevant WebUI data sources directly brave/brave-core#2384)
• ce1be3f refactor(experimental): rename getScalarEnumCodec to getEnumCodec ([0.64.x] Fix dropdown colors for Shields on Windows brave/brave-core#2383)
• 7e86583 refactor(experimental): rename getDataEnumCodec to getDiscriminatedUnionCodec (Disable lookalike url feature brave/brave-core#2382)
• 49a764c refactor(experimental): support number and symbol discriminator values for getDataEnumCodec (Branch migration (master branch) brave/brave-core#2381)
• bf029dd refactor(experimental): support custom discriminator property for getDataEnumCodec ([0.65.x] Fix dropdown colors for Shields on Windows brave/brave-core#2380)
• 3c33220 Move comments about signature busting to the callsites that bust the signatures (Update test to use NDEBUG check instead of only the OFFICIAL_BUILD (uplift to 0.66.x) brave/brave-core#2386)
• 4fbec68 Upgrade to Jest 30 (Fix URL comparison for landed ad, easter egg and search engine state brave/brave-core#1914)
• 50fe84e Revert "Show no Turbo logs except when there is an error (Removes date from ads grants in the wallet (0.64.x) brave/brave-core#2366)" (Update test to use NDEBUG check instead of only the OFFICIAL_BUILD brave/brave-core#2385)
• b566e7a Enable `require-await` linter (Upgrade patches from Chromium "74.0.3729.108" to Chromium 74.0.3729.131 brave/brave-core#2353)
• 8af5427 Show no Turbo logs except when there is an error (Removes date from ads grants in the wallet (0.64.x) brave/brave-core#2366)
• 478443f Validate that the public key generated from createKeyPairFromBytes() belongs to the private key (Fixes Reset Profile dialog. brave/brave-core#2329)
• 9370133 Negative error codes now get decoded correctly by the production error decoder (enable android apk build from brave-core brave/brave-core#2376)
• 6135928 Split the dependency between `compile:typedefs` and the legacy library (Remove URLFetcher related code that are not used in gcm_unittest.cc. brave/brave-core#2370)
• 38000cb Find all misnamed Rollup configs and fix them (Ads first launch notification timer no longer fires after notification dismissal brave/brave-core#2371)
• 6eded26 Bust the prettier cache any time any file changes (Fix Brave Ads default fallback language should be "en-US" instead of "en-cUS" brave/brave-core#2369)
• c03a8d5 Strip `outputs` from the Turborepo config, because omitting it is the same as passing an empty array (Bumping to 0.66.46 brave/brave-core#2368)
• 99a9cbe Break the `style:fix` cache any time any file changes (Removes date from ads grants in the wallet (0.63.x) brave/brave-core#2367)
• 4402f35 Since tests depend on _implementations_, make sure to build upstreams before running tests (Add "New Private Window with Tor" to file menu brave/brave-core#2373)
• 94f2053 Move dependencies out of `devDependencies` where they are used in the implementation (Issue 4335: Disable SafeBrowsing in Tor brave/brave-core#2375)
• 65f262c Run `style:fix` with the new, actually working config (Removes date from ads grants in the wallet (0.65.x) brave/brave-core#2365)
• d2c0daf Make the Prettier task behave more like your editor (Update sync extension to include fix for test-security brave/brave-core#2364)
• 5908de2 Patch `jest-runner-prettier` to work with Prettier 3 (Update sync extension to include fix for test-security brave/brave-core#2363)
• 0a19b75 Upgrade to Turbo 1.13

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@solana/web3.js@1.91.3	network Transitive: environment, filesystem	+18	14.5 MB	buffalojoec

🚮 Removed packages: npm/eslint-plugin-import@2.27.5, npm/eslint-plugin-jest@27.2.1

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Network access	npm/node-fetch@2.7.0	Module: globalThis["fetch"] Location: Package overview	package-lock.json package.json
Network access	npm/node-fetch@2.7.0	Module: http Location: Package overview	package-lock.json package.json
Network access	npm/node-fetch@2.7.0	Module: https Location: Package overview	package-lock.json package.json
New author	npm/@solana/buffer-layout@4.0.1	New Author: steveluscher Previous Author: jordansexton	package-lock.json package.json
Network access	npm/agentkeepalive@4.5.0	Module: https Location: Package overview	package-lock.json package.json
Network access	npm/agentkeepalive@4.5.0	Module: http Location: Package overview	package-lock.json package.json
Network access	npm/jayson@3.7.0	Module: http Location: Package overview	package-lock.json package.json
Network access	npm/jayson@3.7.0	Module: tls Location: Package overview	package-lock.json package.json
Network access	npm/jayson@3.7.0	Module: net Location: Package overview	package-lock.json package.json
Network access	npm/jayson@3.7.0	Module: https Location: Package overview	package-lock.json package.json

View full report↗︎

Next steps

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/node-fetch@2.7.0
• @SocketSecurity ignore npm/@solana/buffer-layout@4.0.1
• @SocketSecurity ignore npm/agentkeepalive@4.5.0
• @SocketSecurity ignore npm/jayson@3.7.0