search

LedgerHQ / ledger-live

Mono-repository for packages related to Ledger Live and its JavaScript ecosystem.
MIT License
437 stars 332 forks source link

[Bug]: Vulnerability from ethers v5.7.2 #8173

Open samuel-kim-mesh opened 2 weeks ago

samuel-kim-mesh commented 2 weeks ago

Impacted Library name

@ledgerhq/hw-app-eth

Impacted Library version

10.5.0 (using yarn 1.22.21)

Describe the bug

@ledgerhq/hw-app-eth has dependency on @ledgerhq/evm-tools which has a dependency on @ethers (v5.7.2). Ethers v5.7.2 has a known security vulnerability due to its ws package. https://github.com/ethers-io/ethers.js/issues/4791. ws package can be resolved by upgrading to version >= 8.17.1 and was actually addressed in ethers versions >= 6. Can we upgrade dependency for ethers to v6 or greater to address this vulnerability?

Expected behavior

Upgrade to ethers v6 or greater to address ws vulnerability.

Additional context

DoS vulnerability caused by ws dependency on ethers v5

surfaceflinger commented 2 weeks ago

they won't care unless you'll keep bumping the issue so that the stale bot won't close it, don't forget to insult them every few bumps

samuel-kim-mesh commented 2 weeks ago

Bump please take a look here! This is a big security vulnerability.