[BUG] Security vulnerability via transitive dependency `h3` failing CI builds

[tomasoliveirz]

Current Behavior

Hi team,
We are currently using your packages, but our CI/CD pipelines (Cycode/yarn audit) are failing due to the h3 transitive dependency
It looks like h3 is having quite a few security patches in a really short timeframe (you can check the recent h3 vulnerabilities on the GitHub Advisory Database here). We had just bypassed it for 1.15.5, then Dependabot flagged 1.15.9, and now it's already requiring 1.15.10. Right now, we're having to use resolutions in our package.json to force the secure version and keep our builds green, but we'd rather not keep this forever.

Expected Behavior

The package should ideally use a secure version of h3 (at least ^1.15.10) so that downstream users don't get Dependabot alerts or failing security audits right out of the box. Bumping the version and regenerating the lockfile should fix it.

Steps To Reproduce

1. Install @onflow/fcl in a project using Yarn.
2. Run yarn audit
3. See the security vulnerabilities flagged for the h3

Environment

- OS: macOS
- Node: 22.22.0
- yarn: 1.22.22

What are you currently working on that this is blocking?

It's failing our automated security checks (Cycode / Dependabot) in our CI/CD pipelines, forcing us to use manual resolutions to unblock deployments.

[andy-uphold]

Any update on this?

[andy-uphold]

The issue with h3 is a sub-dependency on unstorage. They have done a new release that fixes this:

https://github.com/unjs/unstorage/releases/tag/v1.17.5

so this should be an easy fix.