New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #27

Open

snyk-bot wants to merge 1 commit into develop from snyk-fix-1c952fcd2a6aa5c63ea259476854e24f

snyk-bot commented Oct 7, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- static/node/package.json
- static/node/package-lock.json
- static/node/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @truffle/decoder

The new version differs by 250 commits.

fb27278 Publish
b31b941 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4363 from trufflesuite/archaeology
c1cb87d Add test of compiling on Solidity <0.4.20
9e51fe6 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4346 from trufflesuite/extract-web3-eth
9500eea Update type for Eip1193Provider request method
5467f5b Remove unused import
b29a361 Rename type
58ff2d6 Add block type and add typings
cdbe05b Simplify check for eip1193-compliancy
ebe5c41 Add type for 1193-compliant provider
bd5ff12 Simplify variable name
ff9d48a Add Log type and adjust a typing
ccddc9d Rename Web3Adapter to ProviderAdapter
d2b9dfc Refine some methods and tweak return values to keep parity with web3's returns
0fef3d8 Remove web3-eth and implement our own rpc calls
0a6e24e Write our own implementation for eth_getCode in decoder
a422fe4 Adjust implementation for web3-eth to copy the style in the docs
537ad5a Remove type, refine a type, and get ts to compile
ecf743a Add getStorageAt method and use it in decoders
b34657e Update decoders to use web3Adapter instead of web3 directly
6a0aac8 Add one more method and loosen a type or two to continue hacking
7afff55 Add a few more methods to Web3Adapter class
efac32b Refine types a bit and update call to getPastLogs
c66e6dd WIP for implementing the Web3Adapter for the decoder

See the full diff

Package name: web3-eth-abi

The new version differs by 250 commits.

8bfba23 v1.3.6
4fee853 Update geth-dev-assistant
69155de 1.3.6-rc.2 Fixes (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4065)
444bce7 Remove dtslint from ci scripts (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4064)
360b96a Fixing 1.3.6-rc.2 related issues (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4063)
7584ed7 Add web3-core-helpers as dev dependency
2823033 Add web3-core-helpers as dev dependency
bd4509f 1.3.6-rc.2 fixes (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4062)
2d3c54a 1.3.6-rc.2 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4059)
b0822cd v1.3.6-rc.1
0b243e4 Built lib for 1.3.6-rc.1
5894e9e npm i
131fb16 Merge conflicts
73ef7e2 v1.3.6-rc.0
e758f4b Built lib for 1.3.6-rc.0
cddf991 Update CHANGELOG and ran npm i
fdbda49 Bump underscore (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4051)
5d02719 Release/1.3.5 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3974)
888d107 Feature/web3 eth iban es6 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3964) (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3965)
dc148e7 Clarify commitment to semantic versioning (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3961) (Decoding Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3962)
88f59fe Debugging failing tests (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3959) (System Error when running Ganache 2.5.4 on Windows 11 Pro x64 trufflesuite/ganache-ui#3960)
8b2291b Rename tsc to compile (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3957) (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3958)
bb259d9 add nvmrc file (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3817)
20bf22d Bump elliptic from 6.5.3 to 6.5.4 in /packages/web3-core-requestmanager (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3945)

See the full diff

Package name: web3-providers-http

The new version differs by 250 commits.

8bfba23 v1.3.6
4fee853 Update geth-dev-assistant
69155de 1.3.6-rc.2 Fixes (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4065)
444bce7 Remove dtslint from ci scripts (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4064)
360b96a Fixing 1.3.6-rc.2 related issues (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4063)
7584ed7 Add web3-core-helpers as dev dependency
2823033 Add web3-core-helpers as dev dependency
bd4509f 1.3.6-rc.2 fixes (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4062)
2d3c54a 1.3.6-rc.2 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4059)
b0822cd v1.3.6-rc.1
0b243e4 Built lib for 1.3.6-rc.1
5894e9e npm i
131fb16 Merge conflicts
73ef7e2 v1.3.6-rc.0
e758f4b Built lib for 1.3.6-rc.0
cddf991 Update CHANGELOG and ran npm i
fdbda49 Bump underscore (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4051)
5d02719 Release/1.3.5 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3974)
888d107 Feature/web3 eth iban es6 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3964) (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3965)
dc148e7 Clarify commitment to semantic versioning (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3961) (Decoding Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3962)
88f59fe Debugging failing tests (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3959) (System Error when running Ganache 2.5.4 on Windows 11 Pro x64 trufflesuite/ganache-ui#3960)
8b2291b Rename tsc to compile (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3957) (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3958)
bb259d9 add nvmrc file (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3817)
20bf22d Bump elliptic from 6.5.3 to 6.5.4 in /packages/web3-core-requestmanager (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3945)

See the full diff

Package name: web3-providers-ws

The new version differs by 250 commits.

8bfba23 v1.3.6
4fee853 Update geth-dev-assistant
69155de 1.3.6-rc.2 Fixes (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4065)
444bce7 Remove dtslint from ci scripts (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4064)
360b96a Fixing 1.3.6-rc.2 related issues (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4063)
7584ed7 Add web3-core-helpers as dev dependency
2823033 Add web3-core-helpers as dev dependency
bd4509f 1.3.6-rc.2 fixes (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4062)
2d3c54a 1.3.6-rc.2 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4059)
b0822cd v1.3.6-rc.1
0b243e4 Built lib for 1.3.6-rc.1
5894e9e npm i
131fb16 Merge conflicts
73ef7e2 v1.3.6-rc.0
e758f4b Built lib for 1.3.6-rc.0
cddf991 Update CHANGELOG and ran npm i
fdbda49 Bump underscore (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4051)
5d02719 Release/1.3.5 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3974)
888d107 Feature/web3 eth iban es6 (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3964) (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3965)
dc148e7 Clarify commitment to semantic versioning (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3961) (Decoding Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3962)
88f59fe Debugging failing tests (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3959) (System Error when running Ganache 2.5.4 on Windows 11 Pro x64 trufflesuite/ganache-ui#3960)
8b2291b Rename tsc to compile (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3957) (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3958)
bb259d9 add nvmrc file (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#3817)
20bf22d Bump elliptic from 6.5.3 to 6.5.4 in /packages/web3-core-requestmanager (System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#3945)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn


          fix: static/node/package.json, static/node/package-lock.json & static…

1ca5280

…/node/.snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-511941
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484
- https://snyk.io/vuln/SNYK-JS-GOT-2932019
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

# for free to join this conversation on GitHub. Already have an account? # to comment

Labels

None yet