8 vulnerabilities (4 high, 4 critical)

[wpingsuper]

Current Behavior

crypto-es <2.1.0
Severity: critical
crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard - GHSA-mpj8-q39x-wq5h
No fix available
node_modules/crypto-es
bnc-sdk >=2.0.0
Depends on vulnerable versions of crypto-es
node_modules/bnc-sdk
@web3-onboard/core >=2.2.13-alpha.2
Depends on vulnerable versions of @web3-onboard/common
Depends on vulnerable versions of bnc-sdk
Depends on vulnerable versions of viem
node_modules/@web3-onboard/core
@web3-onboard/transaction-preview *
Depends on vulnerable versions of @web3-onboard/common
Depends on vulnerable versions of bnc-sdk
node_modules/@web3-onboard/transaction-preview

ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - GHSA-3h5v-q93c-6h6q
fix available via npm audit fix --force
Will install @web3-onboard/[email protected], which is a breaking change
node_modules/viem/node_modules/ws
viem <=0.0.0-wagmiv2-20230628182101 || 0.2.2 - 2.15.0
Depends on vulnerable versions of ws
node_modules/viem
@web3-onboard/common >=2.4.0-alpha.2
Depends on vulnerable versions of viem
node_modules/@web3-onboard/common
@web3-onboard/injected-wallets >=2.11.0-alpha.2
Depends on vulnerable versions of @web3-onboard/common
node_modules/@web3-onboard/injected-wallets

Expected Behavior

No response

Steps To Reproduce

No response

What package is effected by this issue?

@web3-onboard/core

Is this a build or a runtime issue?

Build, Runtime

Package Version

2.22.2

Node Version

No response

What browsers are you seeing the problem on?

No response

Relevant log output

No response

Anything else?

No response

Sanity Check

• If this is a build issue, I have included my build config. If this is a runtime issue, I have included reproduction steps and/or a Minimal, Reproducible Example.