search

TrueFiEng / Waffle

Library for writing and testing smart contracts.
https://getwaffle.io
MIT License
959 stars 163 forks source link

Could you help update your package to remove the vulnerabilities? #535

Closed paimon0715 closed 1 year ago

paimon0715 commented 3 years ago

Hi @marekkirejczyk ,I'd like to report several vulnerabilities

Issue

Three vulnerabilities (1 high and 2 medium severity])are introduced in @ethereum-waffle/provider: 1.Vulnerability CVE-2020-28500 (medium severity) is detected in package lodash (versions:<4.17.21): https://snyk.io/vuln/SNYK-JS-LODASH-1018905 2.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 3.Vulnerability CVE-2021-23358 (medium severity) is detected in package underscore (versions:>=1.3.2 <1.12.1,>=1.13.0-0 <1.13.0-2):https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 The above vulnerable packages are referenced by @ethereum-waffle/provider via: 1.@ethereum-waffle/provider@3.3.2 ➔ ganache-core@2.13.2 ➔ lodash@4.17.20 2.@ethereum-waffle/provider@3.3.2 ➔ ganache-core@2.13.2 ➔ web3@1.2.11 ➔ web3-bzz@1.2.11 ➔ underscore@1.9.1

Solution

Since *_@ethereum-waffle/provider 3.3._ is transitively referenced by 57** downstream projects (e.g., @ethereum-waffle/chai 3.3.1 (latest version),ethereum-waffle 3.3.0 (latest version), @connext/vector-utils 0.2.5-beta.18 (latest version), @connext/vector-contracts 0.2.5-beta.18 (latest version), @connext/vector-engine 0.2.5-beta.18 (latest version),

*_@ethereum-waffle/provider 2.5._ is referenced by 28** downstream projects (e.g., @pooltogether/pooltogether-contracts 3.3.10 (latest version), @linkdrop/sdk 1.1.6 (latest version), @linkdrop/contracts 1.1.6 (latest version), @pooltogether/api-runner 1.3.2 (latest version), sortition-sum-tree-factory 0.1.0 (latest version))

If @ethereum-waffle/provider removes the vulnerable packages from the above versions, then its fixed version can help downstream users decrease their pain.

Could you help update packages in these versions?

Fixing suggestions

(1)In *_@ethereum-waffle/provider 3.3._**, you can kindly perform the following upgrades (not crossing their major versions): ganache-core ^2.13.2 ➔ ~2.2.0;

Note: ganache-core ~2.2.0 directly depends on lodash@4.17.21 (a vulnerability CVE-2020-28500 and CVE-2021-23337 patched version);ganache-core ~2.2.0 transitively depends on underscore@1.13.1 (a vulnerability CVE-2021-23358 patched version)

(2)In *_@ethereum-waffle/provider 2.5._**, you can kindly perform the following upgrades (not crossing their major versions): ganache-core ^2.10.2 ➔ ~2.2.0;

Note: ganache-core ~2.2.0 directly depends on lodash@4.17.21 (a vulnerability CVE-2020-28500 and CVE-2021-23337 patched version);ganache-core ~2.2.0 transitively depends on underscore@1.13.1 (a vulnerability CVE-2021-23358 patched version)

Thanks for your contributions to the npm ecosystem!

Best regards, Paimon

paimon0715 commented 3 years ago

Many active downstream users transitively use the lower versions of @ethereum-waffle/provider(@2.5. and 3.3. ) (introduced vulnerablities) via unmaintained packages (cannot update their dependencies). If @ethereum-waffle/provider@2.5. and 3.3. can fix the issues, the vulnerable patches can be automatically propagated into the active downstream projects.

ee99ee commented 1 year ago

I see this is still open. 😢 😿

rzadp commented 1 year ago

Waffle 4 is out, which got rid of deprecated ganache-core - that alone should have fixed most of the vulnerabilities :) We now depend on ganache package.

We also updated a lot of other dependencies.