Add a section in the Toolbox docs explaining how to independently update peer dependencies

fvictorio commented 1 year ago

Users might not be aware that peer dependencies can be independently updated, and that it's not necessary to wait until we release a new version of the Toolbox. The docs should explain this.

MasterJediLNR commented 1 year ago

This would be fantastic, as we're running into an issue right now where Toolbox 2.0 is throwing several HIGH level vulnerabilities with npm audit and updating the peer and lower dependencies does not seem to help.

package.json

{
  "name": "HardHat",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "hardhat": "^2.12.5"
  },
  "devDependencies": {
    "@nomicfoundation/hardhat-toolbox": "^2.0.0",
    "debug": "4.3.4",
    "flat": "5.0.2",
    "hardhat-gas-reporter": "1.0.9",
    "minimatch": "5.1.2",
    "mocha": "10.2.0",
    "yargs-unparser": "2.0.0"
  }
}

Console Output

PS D:\Scratch\HardHat> npm i

up to date, audited 706 packages in 5s

123 packages are looking for funding
  run `npm fund` for details

8 vulnerabilities (5 high, 3 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
PS D:\Scratch\HardHat> npm audit
# npm audit report

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install @nomicfoundation/hardhat-toolbox@1.0.2, which is a breaking change
node_modules/eth-gas-reporter/node_modules/flat
node_modules/solidity-coverage/node_modules/flat
  yargs-unparser  <=1.6.3
  Depends on vulnerable versions of flat
  node_modules/eth-gas-reporter/node_modules/yargs-unparser
  node_modules/solidity-coverage/node_modules/yargs-unparser
    mocha  5.1.0 - 9.2.1
    Depends on vulnerable versions of minimatch
    Depends on vulnerable versions of yargs-unparser
    node_modules/eth-gas-reporter/node_modules/mocha
    node_modules/solidity-coverage/node_modules/mocha
      eth-gas-reporter  >=0.2.1
      Depends on vulnerable versions of mocha
      node_modules/eth-gas-reporter
        hardhat-gas-reporter  *
        Depends on vulnerable versions of eth-gas-reporter
        node_modules/hardhat-gas-reporter
          @nomicfoundation/hardhat-toolbox  *
          Depends on vulnerable versions of hardhat-gas-reporter
          Depends on vulnerable versions of solidity-coverage
          node_modules/@nomicfoundation/hardhat-toolbox
      solidity-coverage  >=0.8.0-beta.0
      Depends on vulnerable versions of mocha
      node_modules/solidity-coverage

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install @nomicfoundation/hardhat-toolbox@1.0.2, which is a breaking change
node_modules/eth-gas-reporter/node_modules/minimatch
node_modules/solidity-coverage/node_modules/minimatch

8 vulnerabilities (5 high, 3 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

devcaii commented 1 year ago

How would i go about updating these dependancies? I also have high and critical vulnerabilities right after just installing hardhat, and I'm wondering if i should be concerned about them? And if so how to fix it

fvictorio commented 1 year ago

@devcaii you just explicitly install the dependency. For example, if there's a newer version of typechain you want to use, you just do npm i typechain@latest. This will add it to your package.json with the latest version.

With respect to the vulnerabilities reported by npm, read this.

NomicFoundation / hardhat

Add a section in the Toolbox docs explaining how to independently update peer dependencies #3526

package.json

Console Output