🔒 Security: Migrate deprecated dependencies (metaplex, zustand, ethers)

## Summary

After the security updates in PR #215, there remain **12 transitive vulnerabilities** from deprecated packages that require major migrations to resolve.

## Remaining Vulnerabilities

### Critical/High Priority

| Package | Current | Latest | Issue |
|---------|---------|--------|-------|
| `@metaplex-foundation/js` | 0.20.1 | **DEPRECATED** | 10 high/critical CVEs via axios, form-data, bigint-buffer |
| `zustand` | 3.7.2 | 5.0.9 | Major API changes |
| `ethers` | 5.8.0 | 6.16.0 | BigNumber → BigInt migration |

### Medium Priority

| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|------------------|
| `styled-components` | 5.3.11 | 6.1.19 | Server components, new API |
| `three` | 0.169.0 | 0.182.0 | May affect VRM compatibility |
| `i18next` | 22.5.1 | 25.7.2 | Plugin API changes |
| `@web3-react/core` | 6.1.9 | 8.2.3 | Complete rewrite |

## Metaplex Migration Details

The `@metaplex-foundation/js` package is deprecated with the following CVE chain:

```
@metaplex-foundation/js
├── @irys/sdk (deprecated)
│   └── aptos (deprecated)
│       └── axios@0.x (SSRF, CSRF, DoS)
│       └── form-data@4.x (weak randomness - CRITICAL)
├── @solana/spl-token
│   └── bigint-buffer (buffer overflow - HIGH)
└── Multiple mpl-* packages with vulnerable deps
```

### Migration Path
Metaplex recommends migrating to their new **Umi SDK**:
- `@metaplex-foundation/umi`
- `@metaplex-foundation/umi-bundle-defaults`
- `@metaplex-foundation/mpl-token-metadata` (new version)

**Migration guide:** https://developers.metaplex.com/umi

## Zustand Migration

zustand v5 has breaking changes:
- `create()` → `createStore()`
- Middleware composition changed
- Shallow equality by default

**Migration guide:** https://github.com/pmndrs/zustand/blob/main/docs/migrations/migrating-to-v5.md

## Ethers Migration

ethers v6 has significant breaking changes:
- `BigNumber` → native `BigInt`
- `utils.parseEther()` → `parseEther()`
- Provider/Signer API changes

**Migration guide:** https://docs.ethers.org/v6/migrating/

## Recommended Approach

1. **Phase 1:** Migrate zustand v3 → v5 (isolated state management)
2. **Phase 2:** Migrate ethers v5 → v6 (affects wallet/blockchain code)
3. **Phase 3:** Migrate metaplex SDK (largest change, affects NFT minting)
4. **Phase 4:** Update remaining packages (three, styled-components, i18next)

---
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

🔒 Security: Migrate deprecated dependencies (metaplex, zustand, ethers) #216

Summary

Remaining Vulnerabilities

Critical/High Priority

Medium Priority

Metaplex Migration Details

Migration Path

Zustand Migration

Ethers Migration

Recommended Approach

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Package	Current	Latest	Issue
`@metaplex-foundation/js`	0.20.1	DEPRECATED	10 high/critical CVEs via axios, form-data, bigint-buffer
`zustand`	3.7.2	5.0.9	Major API changes
`ethers`	5.8.0	6.16.0	BigNumber → BigInt migration

Package	Current	Latest	Breaking Changes
`styled-components`	5.3.11	6.1.19	Server components, new API
`three`	0.169.0	0.182.0	May affect VRM compatibility
`i18next`	22.5.1	25.7.2	Plugin API changes
`@web3-react/core`	6.1.9	8.2.3	Complete rewrite

🔒 Security: Migrate deprecated dependencies (metaplex, zustand, ethers) #216

Description

Summary

Remaining Vulnerabilities

Critical/High Priority

Medium Priority

Metaplex Migration Details

Migration Path

Zustand Migration

Ethers Migration

Recommended Approach

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions