search

OpenZeppelin / openzeppelin-test-environment

[Not actively maintained] One-line setup for blazing-fast smart contracts tests
https://docs.openzeppelin.com/test-environment
MIT License
90 stars 39 forks source link

update for "npm audit fix" #152

Closed lebed2045 closed 3 years ago

lebed2045 commented 3 years ago

After the fresh install truffle init and npm install --save-dev @openzeppelin/test-environment (got "@openzeppelin/test-environment": "^0.1.8") and npm audit fix I get vulnerabilities required manual review and could not be updated:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Signature Malleability                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ elliptic                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/test-environment [dev]                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/test-environment > web3 > web3-eth >           │
│               │ web3-eth-abi > ethers > elliptic                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1547                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Signature Malleability                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ elliptic                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/test-environment [dev]                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/test-environment > web3 > web3-eth >           │
│               │ web3-eth-contract > web3-eth-abi > ethers > elliptic         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1547                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Signature Malleability                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ elliptic                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/test-environment [dev]                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/test-environment > web3 > web3-eth >           │
│               │ web3-eth-ens > web3-eth-contract > web3-eth-abi > ethers >   │
│               │ elliptic                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1547                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Signature Malleability                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ elliptic                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/test-environment [dev]                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/test-environment > web3 > web3-eth >           │
│               │ web3-eth-ens > web3-eth-abi > ethers > elliptic              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1547                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

is it something on my side or there's possible update for openzeppelin-test-environment which would fix it?

abcoathup commented 3 years ago

Hi @lebed2045! I’m sorry that you had this issue.

Thanks so much for reporting it! The project owner will review and triage this issue as soon as they can.

Some of the dependencies could be updated to resolve some of these issues for OpenZeppelin Test Environment.

frangio commented 3 years ago

Thank you for reporting @lebed2045. I've released a new version with an updated and un-pinned web3 dependency so this doesn't happen again in the future. If there are any remaining vulnerability reports they should be fixed in web3 itself.