search

OpenZeppelin / defender-client

Monorepo for all defender-client npm packages
https://docs.openzeppelin.com/defender/
MIT License
56 stars 48 forks source link

[Snyk] Security upgrade web3 from 1.10.0 to 4.0.1 #544

Open tirumerla opened 7 months ago

tirumerla commented 7 months ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - examples/web3-provider/package.json #### Note for [zero-installs](https://yarnpkg.com/features/zero-installs) users If you are using the Yarn feature [zero-installs](https://yarnpkg.com/features/zero-installs) that was introduced in Yarn V2, note that this PR does not update the `.yarn/cache/` directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run `yarn` to update the contents of the `./yarn/cache` directory. If you are not using zero-install you can ignore this as your flow should likely be unchanged.
⚠️ Warning ``` Failed to update the yarn.lock, please update manually before merging. ```
#### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **768/1000**
**Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-WEB3UTILS-6229337](https://snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/carlosfkrause/project/38904a26-ab49-46b2-ad96-55b426f40949?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/carlosfkrause/project/38904a26-ab49-46b2-ad96-55b426f40949?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"e5056944-cec2-4011-b775-b512b35d0eee","prPublicId":"e5056944-cec2-4011-b775-b512b35d0eee","dependencies":[{"name":"web3","from":"1.10.0","to":"4.0.1"}],"packageManager":"yarn","projectPublicId":"38904a26-ab49-46b2-ad96-55b426f40949","projectUrl":"https://app.snyk.io/org/carlosfkrause/project/38904a26-ab49-46b2-ad96-55b426f40949?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-WEB3UTILS-6229337"],"upgrade":["SNYK-JS-WEB3UTILS-6229337"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","pr-warning-shown","priorityScore"],"priorityScoreList":[768],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Prototype Pollution](https://learn.snyk.io/lesson/prototype-pollution/?loc=fix-pr)
socket-security[bot] commented 7 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@aws-sdk/types@3.465.0 None 0 40.8 kB aws-sdk-bot
npm/@openzeppelin/defender-base-client@1.54.0-rc.0 None 0 2.46 kB collins-oz
npm/@openzeppelin/defender-relay-client@1.54.0-rc.0 None 0 19.2 kB collins-oz
npm/@sindresorhus/is@4.6.0 None 0 57.5 kB sindresorhus
npm/@smithy/types@2.7.0 None 0 234 kB smithy-team
npm/amazon-cognito-identity-js@6.3.7 network 0 1.39 MB aws-amplify-ops
npm/array-flatten@1.1.1 None 0 4.42 kB blakeembrey
npm/assert-plus@1.0.0 environment 0 11.4 kB pfmooney
npm/async-limiter@1.0.1 None 0 6.9 kB strml
npm/aws-sign2@0.7.0 None 0 14.2 kB mikeal
npm/aws4@1.12.0 environment 0 23.5 kB hichaelmart
npm/bluebird@3.7.2 environment, eval, unsafe 0 632 kB esailija
npm/caseless@0.12.0 None 0 14.3 kB mikeal
npm/chownr@2.0.0 filesystem 0 5.75 kB isaacs
npm/cipher-base@1.0.4 None 0 7.95 kB cwmma
npm/content-type@1.0.5 None 0 10.5 kB dougwilson
npm/cookie-signature@1.0.6 None 0 3.94 kB natevw
npm/cookie@0.5.0 None 0 23.1 kB dougwilson
npm/core-util-is@1.0.3 None 0 4.98 kB isaacs
npm/cors@2.8.5 None 0 20 kB dougwilson
npm/create-hash@1.2.0 None +1 12.9 kB cwmma
npm/create-hmac@1.1.7 None 0 5.81 kB cwmma
npm/d@1.0.1 None +1 125 kB medikoo
npm/decode-uri-component@0.2.2 None 0 6.09 kB samverschueren
npm/dom-walk@0.1.2 None 0 2.66 kB raynos
npm/encodeurl@1.0.2 None 0 7.86 kB dougwilson
npm/end-of-stream@1.4.4 None 0 6.23 kB mafintosh
npm/es6-promise@4.2.8 None 0 315 kB stefanpenner
npm/escape-html@1.0.3 None 0 3.66 kB dougwilson
npm/etag@1.8.1 filesystem 0 10.8 kB dougwilson
npm/extend@3.0.2 None 0 23.5 kB ljharb
npm/extsprintf@1.3.0 None 0 22.8 kB dap
npm/follow-redirects@1.15.1 network 0 27.7 kB rubenverborgh
npm/forever-agent@0.6.1 network 0 14 kB simov
npm/fs-extra@10.1.0 None 0 63.3 kB ryanzim
npm/har-schema@2.0.0 None 0 15.1 kB ahmadnassri
npm/has-symbols@1.0.3 None 0 20.6 kB ljharb
npm/immediate@3.0.6 None 0 14.6 kB cwmma
npm/is-typedarray@1.0.0 None 0 4.41 kB hughsk
npm/isstream@0.1.2 None 0 13.3 kB rvagg
npm/mkdirp@1.0.4 environment, filesystem 0 19.1 kB isaacs
npm/oauth-sign@0.9.0 None 0 13.8 kB simov
npm/object-assign@4.1.1 None 0 5.49 kB sindresorhus
npm/performance-now@2.1.0 None 0 11.3 kB meryn
npm/psl@1.9.0 None 0 461 kB lupomontero
npm/ripemd160@2.0.2 None 0 9.79 kB dcousens
npm/safe-buffer@5.2.1 None 0 32.1 kB feross
npm/sax@1.2.1 None 0 66.8 kB isaacs
npm/sha.js@2.4.11 None 0 31.1 kB dcousens
npm/tweetnacl@0.14.5 None 0 174 kB dchest
npm/unpipe@1.0.0 None 0 4.31 kB dougwilson
npm/util-deprecate@1.0.2 None 0 5.48 kB tootallnate
npm/util@0.12.5 environment Transitive: eval +2 94.4 kB goto-bus-stop
npm/vary@1.1.2 None 0 8.75 kB dougwilson
npm/xtend@4.0.2 None 0 6.46 kB raynos

🚮 Removed packages: npm/@npmcli/promise-spawn@6.0.2, npm/@octokit/types@9.3.2, npm/bl@4.1.0, npm/cli-spinners@2.6.1, npm/dotenv@16.3.1, npm/figures@3.2.0, npm/follow-redirects@1.15.2, npm/fs-minipass@3.0.2, npm/hosted-git-info@4.1.0, npm/is-core-module@2.12.1, npm/is-plain-obj@1.1.0, npm/jsonparse@1.3.1, npm/make-fetch-happen@11.1.1, npm/node-gyp-build@4.6.0, npm/node-machine-id@1.1.12, npm/normalize-package-data@3.0.3, npm/protocols@2.0.1, npm/sigstore@1.7.0, npm/tslib@2.6.0, npm/yargs-parser@20.2.4

View full report↗︎