Security: 10 unfixable npm vulnerabilities in transitive dependencies

[md84]

Summary

After running npm audit fix and npm audit fix --force, 10 vulnerabilities remain
that cannot be resolved automatically. These are in transitive dependencies with no
upstream fix available.

Audit Results

Package	Severity	Issue	Root Cause
d3-color < 3.1.0	HIGH	ReDoS (GHSA-36jr-mh4h-2g58)	Via 0x → d3-fg → d3-zoom → d3-scale → d3-interpolate → d3-color
elliptic *	HIGH	Risky crypto primitive (GHSA-848j-6mx2-7j84)	Via crypto-browserify → browserify-sign / create-ecdh → elliptic

Suggested Fixes

1. Replace 0x profiler with clinic.js or node --prof — eliminates entire d3-color chain.
2. Replace crypto-browserify with Node.js native crypto (Node 18+) — eliminates elliptic chain.

Additional Finding

Hardcoded API key in packages/agent-booster/benchmarks/morph-benchmark.js:12:

const MORPH_API_KEY = 'sk-ifrAh8auI9Gkk2J_...'

Should be rotated and replaced with process.env.MORPH_API_KEY.

Environment

• Node.js 18+
• npm audit run on 2026-03-10
• Started with 30 vulnerabilities, resolved 20 via npm audit fix --force

Thank you for the great project!