Fix npm audit findings in TypeScript SDK packages

[ihsraham]

Summary

• Update TypeScript SDK and example package viem ranges so they resolve ws@8.20.1.
• Pin direct ws usage in sdk/ts and app_sessions to the patched 8.20.1 release.
• Add an npm override in sdk/ts so the dev-only ethers dependency dedupes to ws@8.20.1 instead of keeping a vulnerable nested copy.
• Refresh sdk/ts/package-lock.json dev-tool transitive dependencies so brace-expansion resolves to 5.0.6 and diff resolves to 4.0.4.

Validation

• cd sdk/ts && npm audit --package-lock-only --json reports 0 vulnerabilities
• Package-lock audits for sdk/ts, sdk/ts/examples/app_sessions, and sdk/ts/examples/example-app all report 0 vulnerabilities
• cd sdk/ts && npm run typecheck
• cd sdk/ts && npm test (12 suites, 180 tests)

Summary by CodeRabbit

• Chores
  • Updated viem dependency to version 2.50.4 across SDK and example packages
  • Updated ws dependency to versions 2.20.1 and 2.21.0 in example packages
  • Added dependency override configuration for ws in main SDK package

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR updates TypeScript SDK and example application dependencies to maintain compatibility. The main SDK package.json bumps viem to ^2.50.4 and introduces an npm overrides section pinning ws to 8.21.0. Both example applications receive viem updates to ^2.50.4; app_sessions also updates ws to ^8.20.1.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Main SDK viem and ws updates sdk/ts/package.json	viem is bumped from ^2.46.1 to ^2.50.4 in dependencies, and a new top-level overrides section pins ws to 8.21.0.
Example applications viem updates sdk/ts/examples/app_sessions/package.json, sdk/ts/examples/example-app/package.json	Both example packages receive viem ^2.50.4; app_sessions additionally updates ws from ^8.18.3 to ^8.20.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• layer-3/nitrolite#575: Prior viem dependency bump in sdk/ts/package.json (from ^2.44.0 to ^2.44.4), establishing a pattern of viem version alignment across the codebase.

Suggested reviewers

• nksazonov
• philanton
• dimast-x

Poem

🐰 Hop along, dear viem—now 2.50.4 strong,

While ws finds its home in overrides all day long.

Examples dance in sync, no version held too tight,

Dependencies aligned—a harmonious compile height! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix npm audit findings in TypeScript SDK packages' directly and clearly describes the main objective of the changeset, which is to address npm audit vulnerabilities in the TypeScript SDK packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/fix-ws-cve-2026-45736

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}