From 42aae430a79b366542417c28348ff29b3f143d0a Mon Sep 17 00:00:00 2001
From: Drew Stone <drewstone329@gmail.com>
Date: Wed, 20 May 2026 09:05:20 -0600
Subject: [PATCH] chore(deps): bump ws past advisory

Pin ws to ^8.20.1 via pnpm override to close GHSA-58qx-3vcg-4xpx
(CVE-2026-45736, "Uninitialized memory disclosure", medium severity).

ws is a transitive dependency pulled by viem (peer of
@tangle-network/tcloud and @tangle-network/sandbox). Direct deps do not
expose ws, so the fix is applied via pnpm.overrides rather than a
direct-dep bump.

Versions:
- ws: 8.18.3 -> 8.20.1 (vulnerable range was >=8.0.0 <8.20.1)

Verification: typecheck + 1220 tests + build all green.
---
 package.json   |  3 ++-
 pnpm-lock.yaml | 17 +++++++++--------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/package.json b/package.json
index 278cf3a..f176d90 100644
--- a/package.json
+++ b/package.json
@@ -140,7 +140,8 @@
     "minimumReleaseAge": 4320,
     "minimumReleaseAgeExclude": [],
     "overrides": {
-      "postcss@<8.5.10": "^8.5.10"
+      "postcss@<8.5.10": "^8.5.10",
+      "ws@>=8.0.0 <8.20.1": "^8.20.1"
     }
   },
   "engines": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 776f884..7f3cf19 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,6 +6,7 @@ settings:
 
 overrides:
   postcss@<8.5.10: ^8.5.10
+  ws@>=8.0.0 <8.20.1: ^8.20.1
 
 importers:
 
@@ -639,7 +640,7 @@ packages:
   isows@1.0.7:
     resolution: {integrity: sha512-I1fSfDCZL5P0v33sVqeTDSpcstAg/N+wF5HS033mogOVIp4B+oHC7oOCsA3axAbBSGTJ8QubbNmnIRN/h8U7hg==}
     peerDependencies:
-      ws: '*'
+      ws: ^8.20.1
 
   joycon@3.1.1:
     resolution: {integrity: sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw==}
@@ -927,8 +928,8 @@ packages:
     engines: {node: '>=8'}
     hasBin: true
 
-  ws@8.18.3:
-    resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==}
+  ws@8.20.1:
+    resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
     engines: {node: '>=10.0.0'}
     peerDependencies:
       bufferutil: ^4.0.1
@@ -1388,9 +1389,9 @@ snapshots:
 
   hono@4.12.18: {}
 
-  isows@1.0.7(ws@8.18.3):
+  isows@1.0.7(ws@8.20.1):
     dependencies:
-      ws: 8.18.3
+      ws: 8.20.1
 
   joycon@3.1.1: {}
 
@@ -1602,9 +1603,9 @@ snapshots:
       '@scure/bip32': 1.7.0
       '@scure/bip39': 1.6.0
       abitype: 1.2.3(typescript@5.9.3)(zod@4.3.6)
-      isows: 1.0.7(ws@8.18.3)
+      isows: 1.0.7(ws@8.20.1)
       ox: 0.14.20(typescript@5.9.3)(zod@4.3.6)
-      ws: 8.18.3
+      ws: 8.20.1
     optionalDependencies:
       typescript: 5.9.3
     transitivePeerDependencies:
@@ -1692,7 +1693,7 @@ snapshots:
       siginfo: 2.0.0
       stackback: 0.0.2
 
-  ws@8.18.3: {}
+  ws@8.20.1: {}
 
   yaml@2.8.3: {}