Dependencies security updates (#36)

* fix: update dependencies for security vulnerabilities

**Direct dependency updates:**
- happy-dom: ^17.4.4 → ^20.3.1 (critical: VM Context Escape fix)
- playwright: ^1.52.0 → ^1.57.0 (high: SSL certificate verification fix)
- next: 15.3.6 → 15.5.9 (moderate: Server Actions Source Code Exposure fix)
- vite: ^6.3.5 → ^6.4.1 (low: middleware and fs settings fixes)
- vitest: ^3.2.4 → ^4.0.17 (fixes glob vulnerability)
- @vitest/coverage-v8: ^3.2.4 → ^4.0.17
- @vitest/browser: ^3.1.2 → ^4.0.17
- eslint: ^9.34.0 → ^9.39.2 (fixes @eslint/plugin-kit ReDoS)
- @eslint/js: ^9.26.0 → ^9.39.2
- @next/eslint-plugin-next: ^15.3.6 → ^15.5.9
- vite-plugin-node-polyfills: ^0.23.0 → ^0.25.0

**pnpm overrides for transitive dependencies:**
- glob: >=10.5.0 (high: command injection fix)
- form-data: >=4.0.4 (critical: unsafe random fix)
- axios: >=1.12.0 (high: SSRF and DoS fixes)
- qs: >=6.14.1 (high: DoS via memory exhaustion fix)
- js-yaml: >=4.1.1 (moderate: prototype pollution fix)
- tmp: >=0.2.4 (low: symlink dir fix)
- mermaid: >=11.10.0 (moderate: vulnerabilities fix)
- mdast-util-to-hast: >=13.2.1 (moderate: unsanitized class fix)
- pbkdf2: >=3.1.3 (critical: Uint8Array input fix)
- sha.js: >=2.4.12 (critical: hash rewind fix)

Reduced vulnerabilities from 35 to 4 (3 low, 1 moderate).
Remaining issues are unfixable transitive dependencies:
- vite in @vitest/browser (needs vitest update)
- elliptic (no patch available)

Co-authored-by: greg <greg@gnazar.io>

* test: update fetchNameFromAddress snapshot for changed on-chain data

The ANS name for address 0xfb385da49059a1a0617f085eddeeb67ef2b0f4d0ca0b3e324f36af35650351fa
changed from 'rasa.apt' to 'fasterandmorefuriouser.apt' on testnet.

Co-authored-by: greg <greg@gnazar.io>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Author: gregnazario

apps/docs/package.json

@@ -21,7 +21,7 @@
     "clsx": "^2.1.1",
     "lucide-react": "^0.468.0",
     "motion": "^12.23.12",
-    "next": "15.3.6",
+    "next": "15.5.9",
     "nextra": "4.3.0-alpha.22",
     "nextra-theme-docs": "4.3.0-alpha.22",
     "react": "19.1.2",

examples/vite/package.json

@@ -29,14 +29,14 @@
     "sonner": "^1.7.4",
     "tailwind-merge": "^3.2.0",
     "tailwindcss": "^4.1.5",
-    "vite-plugin-node-polyfills": "^0.23.0"
+    "vite-plugin-node-polyfills": "^0.25.0"
   },
   "devDependencies": {
     "@aptos-labs/eslint-config-petra": "workspace:*",
     "@types/react": "^19.1.3",
     "@types/react-dom": "^19.1.3",
     "@vitejs/plugin-react": "^4.4.1",
     "tw-animate-css": "^1.2.9",
-    "vite": "^6.3.5"
+    "vite": "^6.4.1"
   }
 }

package.json

@@ -16,12 +16,12 @@
   "devDependencies": {
     "@changesets/cli": "^2.29.6",
     "@types/node": "22.15.3",
-    "@vitest/coverage-v8": "^3.2.4",
-    "eslint": "^9.34.0",
+    "@vitest/coverage-v8": "^4.0.17",
+    "eslint": "^9.39.2",
     "prettier": "^3.6.2",
     "turbo": "^2.5.6",
     "typescript": "^5.9.2",
-    "vitest": "^3.2.4"
+    "vitest": "^4.0.17"
   },
   "packageManager": "pnpm@10.15.0",
   "engines": {
@@ -36,6 +36,18 @@
       "esbuild",
       "sharp",
       "utf-8-validate"
-    ]
+    ],
+    "overrides": {
+      "glob": ">=10.5.0",
+      "form-data": ">=4.0.4",
+      "axios": ">=1.12.0",
+      "qs": ">=6.14.1",
+      "js-yaml": ">=4.1.1",
+      "tmp": ">=0.2.4",
+      "mermaid": ">=11.10.0",
+      "mdast-util-to-hast": ">=13.2.1",
+      "pbkdf2": ">=3.1.3",
+      "sha.js": ">=2.4.12"
+    }
   }
 }

packages/eslint-config/package.json

@@ -9,9 +9,9 @@
     "./next": "./next.js"
   },
   "devDependencies": {
-    "@eslint/js": "^9.26.0",
-    "@next/eslint-plugin-next": "^15.3.6",
-    "eslint": "^9.26.0",
+    "@eslint/js": "^9.39.2",
+    "@next/eslint-plugin-next": "^15.5.9",
+    "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.3",
     "eslint-plugin-headers": "^1.2.1",
     "eslint-plugin-only-warn": "^1.1.0",

packages/js-pro/src/queries/fetchNameFromAddress.test.ts

@@ -13,7 +13,7 @@ describe("fetchAddressFromName", () => {
       address: AccountAddress.from(address),
     });
 
-    expect(name?.toString()).toMatchInlineSnapshot(`"rasa.apt"`);
+    expect(name?.toString()).toMatchInlineSnapshot(`"fasterandmorefuriouser.apt"`);
   });
 
   test("should return null if the name is not found", async ({ testnet }) => {

packages/react/package.json

@@ -65,12 +65,12 @@
     "@testing-library/react": "^16.3.0",
     "@types/react": "^19.1.2",
     "@types/react-dom": "^19.1.2",
-    "@vitest/browser": "^3.1.2",
+    "@vitest/browser": "^4.0.17",
     "dotenv": "^16.5.0",
-    "happy-dom": "^17.4.4",
-    "playwright": "^1.52.0",
+    "happy-dom": "^20.3.1",
+    "playwright": "^1.57.0",
     "tsup": "^8.4.0",
-    "vitest": "^3.1.2"
+    "vitest": "^4.0.17"
   },
   "keywords": [
     "aptos",

packages/react/src/queries/useNameFromAddress.test.ts

@@ -16,5 +16,5 @@ test("useNameForAddress", async ({ testnet }) => {
 
   await waitFor(() => expect(result.current.isSuccess).toBeTruthy());
 
-  expect(result.current.data?.toString()).toMatchInlineSnapshot(`"rasa.apt"`);
+  expect(result.current.data?.toString()).toMatchInlineSnapshot(`"fasterandmorefuriouser.apt"`);
 });