search

OpenZeppelin / openzeppelin-test-helpers

Assertion library for Ethereum smart contract testing
https://docs.openzeppelin.com/test-helpers
MIT License
415 stars 132 forks source link

Update package-lock.json file to automatically remove the vulnerability CVE-2020-28498 #169

Closed paimon0715 closed 3 years ago

paimon0715 commented 3 years ago

Hi, @frangio @nventuro, I have reported a vulnerability issue in package ethers.

As far as I am aware, vulnerability CVE-2020-28498 detected in package elliptic<6.5.4 is directly referenced by  ethers@4.0.48, on which your package @openzeppelin/test-helpers@0.5.12 transitively depends. As such, this vulnerability can also affect @openzeppelin/test-helpers@0.5.12 via the following path: @openzeppelin/test-helpers@0.5.12 ➔ @truffle/contract@4.3.23 ➔ @truffle/interface-adapter@0.5.2 ➔ ethers@4.0.48 ➔ elliptic@6.5.3(vulnerable version)

Since ethers has released a new patched version ethers@4.0.49 to resolve this issue (ethers@4.0.49 ➔ elliptic@6.5.4(safe version)), then this vulnerability patch can be automatically propagated into your project only if you update your package-lock.json file (delete package-lock.json and re-execute npm install command): @openzeppelin/test-helpers@0.5.12 ➔ @truffle/contract@4.3.23 ➔ @truffle/interface-adapter@0.5.2 ➔ ethers@4.0.49 ➔ elliptic@6.5.4(vulnerability fix version).

A warm tip.^_^

frangio commented 3 years ago

Thank you @paimon0715. I've refreshed the lockfiles. Unfortunately it seems that 6.5.3 is still installed, as follows:

├─┬ ganache-cli@6.12.2
│ └─┬ ethereumjs-util@6.2.1
│   ├── elliptic@6.5.3
│   └─┬ ethereum-cryptography@0.1.3
│     └─┬ secp256k1@4.0.2
│       └── elliptic@6.5.3 deduped

Doesn't look like we can do anything to fix it here.