Open ben-kaufman opened 4 years ago
Hi @ben-kaufman!
We have been able to reproduce this issue by following these steps:
$ mkdir issue1514 && cd issue1514
$ npm init -y
$ npm i @openzeppelin/upgrades@rc
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Insecure Credential Storage │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @openzeppelin/upgrades > web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/877 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Write │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ decompress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @openzeppelin/upgrades > web3 > web3-bzz > swarm-js > │
│ │ decompress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1217 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 high) in 36898 scanned packages
2 vulnerabilities require manual review. See the full report for details.
Thanks so much for reporting it! The project owner will review and triage this issue during the next week.
The vulnerabilities are in web3 or it's dependencies and are not fixed in the latest version of web3 (You can check by installing web3@1.2.6). https://github.com/OpenZeppelin/openzeppelin-sdk/issues/700#issuecomment-594127396
The Arbitrary File Write vulnerability should be fixed in a future version of web3 https://github.com/ethereum/web3.js/issues/3399
Hi, when adding the
@openzeppelin/upgrades
package to my project I receive warnings on package vulnerabilities (runningnpm audit
provides detail). They all seem to arise from theweb3
version you use here. Updating theweb3
package used here should solve the issue.