scripts/whatsapp-bridge/package.json

{
  "name": "hermes-whatsapp-bridge",
  "version": "1.0.0",
  "description": "WhatsApp bridge for Hermes Agent using Baileys",
  "private": true,
  "type": "module",
  "scripts": {
    "start": "node bridge.js"
  },
  "dependencies": {
    "@whiskeysockets/baileys": "WhiskeySockets/Baileys#01047debd81beb20da7b7779b08edcb06aa03770",
    "express": "^4.21.0",
    "qrcode-terminal": "^0.12.0",
    "pino": "^9.0.0"
  },
  "overrides": {
    "protobufjs": "^7.5.5"
  }
}
add full support for whatsapp 2026-02-25 21:04:36 -08:00			`{`
			`"name": "hermes-whatsapp-bridge",`
			`"version": "1.0.0",`
			`"description": "WhatsApp bridge for Hermes Agent using Baileys",`
			`"private": true,`
			`"type": "module",`
			`"scripts": {`
			`"start": "node bridge.js"`
			`},`
			`"dependencies": {`
security: supply chain hardening — CI pinning, dep pinning, and code fixes (#9801) CI/CD Hardening: - Pin all 12 GitHub Actions to full commit SHAs (was mutable @vN tags) - Add explicit permissions: {contents: read} to 4 workflows - Pin CI pip installs to exact versions (pyyaml==6.0.2, httpx==0.28.1) - Extend supply-chain-audit.yml to scan workflow, Dockerfile, dependency manifest, and Actions version changes Dependency Pinning: - Pin git-based Python deps to commit SHAs (atroposlib, tinker, yc-bench) - Pin WhatsApp Baileys from mutable branch to commit SHA Tool Registry: - Reject tool name shadowing from different tool families (plugins/MCP cannot overwrite built-in tools). MCP-to-MCP overwrites still allowed. MCP Security: - Add tool description content scanning for prompt injection patterns - Log detailed change diff on dynamic tool refresh at WARNING level Skill Manager: - Fix dangerous verdict bug: agent-created skills with dangerous findings were silently allowed (ask->None->allow). Now blocked. 2026-04-14 14:23:37 -07:00			`"@whiskeysockets/baileys": "WhiskeySockets/Baileys#01047debd81beb20da7b7779b08edcb06aa03770",`
add full support for whatsapp 2026-02-25 21:04:36 -08:00			`"express": "^4.21.0",`
			`"qrcode-terminal": "^0.12.0",`
			`"pino": "^9.0.0"`
fix(whatsapp): pin protobufjs >=7.5.5 via npm overrides to clear 3 critical vulns (#19204) The whatsapp-bridge pulls @whiskeysockets/baileys at a pinned git commit whose transitive dep tree ships protobufjs <7.5.5, triggering GHSA-xq3m-2v4x-88gg (critical, arbitrary code execution). npm audit reported 3 cascading criticals: protobufjs, @whiskeysockets/libsignal-node (pulls protobufjs), and baileys itself (effect rollup). Fix: add npm overrides block pinning protobufjs to ^7.5.5. Deduplicates to a single 7.5.6 copy at node_modules/protobufjs that both libsignal-node and any other consumers resolve through normal module resolution. Why not bump baileys: npm-published baileys@6.17.16 is deprecated by the maintainers (wrong version), 7.0.0-rc.* still pulls the same vulnerable libsignal-node, and upstream Baileys HEAD adds a 4th vuln (music-metadata). The override is the minimal, behavior-preserving fix. Validation: - npm audit: 3 critical -> 0 vulnerabilities - node -e "import('@whiskeysockets/baileys')" -> all 5 named exports (makeWASocket, useMultiFileAuthState, DisconnectReason, fetchLatestBaileysVersion, downloadMediaMessage) resolve - node bridge.js loads all modules and reaches Express bind (exits only on EADDRINUSE because the live gateway owns :3000) - Single deduped protobufjs@7.5.6 in the tree 2026-05-03 05:22:30 -07:00			`},`
			`"overrides": {`
			`"protobufjs": "^7.5.5"`
add full support for whatsapp 2026-02-25 21:04:36 -08:00			`}`
			`}`