Summary
fdp-contracts has accumulated 97 open Dependabot alerts since the last commit (master last pushed 2024-03-20, ~2.2y ago). The published JS library @fairdatasociety/fdp-contracts-js is consumed downstream by fdp-storage (^3.11.0), so the dormancy creates a compounding security gap rather than a clean archive candidate like fdp-create-account#303.
Alert breakdown
| Severity |
Total |
Runtime |
Development |
| Critical |
7 |
2 |
5 |
| High |
36 |
6 |
30 |
| Medium |
29 |
4 |
25 |
| Low |
25 |
11 |
14 |
| Total |
97 |
23 |
74 |
Runtime crit + high (23 total, top 8 representative)
elliptic CRIT in package-lock.json + js-library/package-lock.json (ECDSA signature malleability — same family as fdp-storage#309)axios HIGH x2 in package-lock.json (SSRF / credential leak — same family as fdp-storage#311)ws HIGH x3 in both lockfiles (DoS via HTTP headers — same family as fdp-storage#313)tar-fs HIGH in package-lock.json (path traversal)
Dev-scope crit (5)
babel-traverse x2, minimist, json-schema, underscore — all in build/test toolchain. No deploy impact, but signal of overall freshness.
Why this is not a clean archive case
Unlike fdp-create-account#303 (no DNS, no consumers, 2.5y dormant → archive), fdp-contracts is upstream of active code:
@fairdatasociety/fdp-contracts-js@^3.11.0 is a runtime dep of fdp-storage (verified in fdp-storage/package.json:58)- Last npm publish:
fdp-contracts-js-lib v3.12.0 2024-03-20
- 4 stars / 1 fork / 0 issue comments since 2024-01
Archiving would freeze the supply chain. Reviving requires a maintainer.
Recommended options (human decision)
A. Security release — bump runtime deps (elliptic ≥6.6.1, axios ≥1.15.2, ws ≥8.17.1, tar-fs ≥3.0.7), republish fdp-contracts-js as 3.12.1, then bump fdp-storage to consume it. Closes 6 of fdp-storage's open security issues at the source.
B. Decouple fdp-storage — replace @fairdatasociety/fdp-contracts-js with the underlying primitives directly (ENS calls via ethers, ABIs vendored in fdp-storage). Higher diff but removes the dormant-upstream risk.
C. Time-box revival — add basic-ftp/elliptic/ws/axios overrides via package-lock.json regen on a single PR, accept the dev-scope alerts as parked, leave repo otherwise dormant. Lowest effort, partial fix.
D. Mirror to FDS-DAO maintainer team — transfer ownership to a sub-team with explicit security-cadence responsibility, preserving the historical contract addresses + ABI surface.
Verification commands
```
gh api repos/fairDataSociety/fdp-contracts/dependabot/alerts?state=open --paginate --jq 'length'
→ 97
grep fdp-contracts ~/path/to/fdp-storage/package.json
→ "@fairdatasociety/fdp-contracts-js": "^3.11.0",
```
Relationship to existing issues
- Mirrors structurally what's tracked in fdp-storage #309 (elliptic), #311 (axios), #313 (ws), #314 (medium runtime)
- Different from fdp-create-account#303 — that repo has no consumers; this one does
- No prior security issue exists on this repo (verified via
gh issue list)
cc @fairDataSociety maintainer team — flagging for human decision on Option A vs B vs C vs D.
Filed by FDS heartbeat operator (cto role) during 2026-05-10 dormant-repo sweep, following fdp-create-account#303 pattern. Awaits human triage.
Summary
fdp-contractshas accumulated 97 open Dependabot alerts since the last commit (masterlast pushed 2024-03-20, ~2.2y ago). The published JS library@fairdatasociety/fdp-contracts-jsis consumed downstream byfdp-storage(^3.11.0), so the dormancy creates a compounding security gap rather than a clean archive candidate like fdp-create-account#303.Alert breakdown
Runtime crit + high (23 total, top 8 representative)
ellipticCRIT inpackage-lock.json+js-library/package-lock.json(ECDSA signature malleability — same family as fdp-storage#309)axiosHIGH x2 inpackage-lock.json(SSRF / credential leak — same family as fdp-storage#311)wsHIGH x3 in both lockfiles (DoS via HTTP headers — same family as fdp-storage#313)tar-fsHIGH inpackage-lock.json(path traversal)Dev-scope crit (5)
babel-traversex2,minimist,json-schema,underscore— all in build/test toolchain. No deploy impact, but signal of overall freshness.Why this is not a clean archive case
Unlike fdp-create-account#303 (no DNS, no consumers, 2.5y dormant → archive),
fdp-contractsis upstream of active code:@fairdatasociety/fdp-contracts-js@^3.11.0is a runtime dep offdp-storage(verified infdp-storage/package.json:58)fdp-contracts-js-lib v3.12.02024-03-20Archiving would freeze the supply chain. Reviving requires a maintainer.
Recommended options (human decision)
A. Security release — bump runtime deps (elliptic ≥6.6.1, axios ≥1.15.2, ws ≥8.17.1, tar-fs ≥3.0.7), republish
fdp-contracts-jsas 3.12.1, then bump fdp-storage to consume it. Closes 6 of fdp-storage's open security issues at the source.B. Decouple fdp-storage — replace
@fairdatasociety/fdp-contracts-jswith the underlying primitives directly (ENS calls viaethers, ABIs vendored in fdp-storage). Higher diff but removes the dormant-upstream risk.C. Time-box revival — add basic-ftp/elliptic/ws/axios overrides via
package-lock.jsonregen on a single PR, accept the dev-scope alerts as parked, leave repo otherwise dormant. Lowest effort, partial fix.D. Mirror to FDS-DAO maintainer team — transfer ownership to a sub-team with explicit security-cadence responsibility, preserving the historical contract addresses + ABI surface.
Verification commands
```
gh api repos/fairDataSociety/fdp-contracts/dependabot/alerts?state=open --paginate --jq 'length'
→ 97
grep fdp-contracts ~/path/to/fdp-storage/package.json
→ "@fairdatasociety/fdp-contracts-js": "^3.11.0",
```
Relationship to existing issues
gh issue list)cc @fairDataSociety maintainer team — flagging for human decision on Option A vs B vs C vs D.
Filed by FDS heartbeat operator (cto role) during 2026-05-10 dormant-repo sweep, following fdp-create-account#303 pattern. Awaits human triage.