Closed Data-Nexus closed 7 months ago
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|
npm/@graphprotocol/graph-cli@0.64.1 | Transitive: environment, eval, filesystem, network, shell, unsafe | +499 |
146 MB | dotansimha |
npm/@graphprotocol/graph-ts@0.32.0 | Transitive: eval | +3 |
19.2 MB | dotansimha |
npm/typescript@3.9.10 | None | 0 |
54.1 MB | typescript-bot |
🚮 Removed packages: npm/@graphprotocol/graph-cli@0.20.3, npm/@graphprotocol/graph-ts@0.20.1, npm/@types/express-serve-static-core@4.17.19, npm/@types/lodash@4.14.168, npm/@types/node@12.20.12, npm/asmcrypto.js@2.3.2, npm/asn1.js@5.4.1, npm/async@2.6.3, npm/base-x@3.0.8, npm/bignumber.js@9.0.1, npm/bindings@1.5.0, npm/bip66@1.1.5, npm/blakejs@1.1.0, npm/borc@2.1.2, npm/builtin-status-codes@3.0.0, npm/call-bind@1.0.2, npm/cids@0.7.5, npm/debug@4.3.1, npm/detect-node@2.0.5, npm/drbg.js@1.0.1, npm/explain-error@1.0.4, npm/flatmap@0.0.3, npm/glob@7.1.7, npm/graceful-fs@4.2.6, npm/hi-base32@0.5.1, npm/ip@1.1.5, npm/ipfs-block@0.8.1, npm/ipld-dag-cbor@0.15.3, npm/ipld-dag-pb@0.17.4, npm/ipld-raw@4.0.1, npm/is-buffer@2.0.5, npm/is-glob@4.0.1, npm/is-ipfs@0.6.3, npm/is-promise@1.0.1, npm/is-pull-stream@0.0.0, npm/iso-random-stream@1.1.2, npm/iso-stream-http@0.1.2, npm/iterable-ndjson@1.1.0, npm/just-kebab-case@1.1.0, npm/just-map-keys@1.1.0, npm/keypair@1.0.3, npm/kind-of@6.0.3, npm/ky-universal@0.2.2, npm/ky@1.2.0, npm/libp2p-crypto-secp256k1@0.3.1, npm/libp2p-crypto@0.16.3, npm/looper@3.0.0, npm/mafmt@7.1.0, npm/mime-types@2.1.30, npm/minimatch@3.0.4, npm/minimist@1.2.5, npm/multicodec@1.0.4, npm/multihashes@0.4.21, npm/nan@2.14.2, npm/ndjson@1.5.0, npm/object-inspect@1.10.3, npm/peer-id@0.12.5, npm/peer-info@0.15.1, npm/picomatch@2.2.3, npm/promise-nodeify@3.0.1, npm/promisify-es6@1.0.3, npm/pull-defer@0.2.3, npm/pull-stream@3.6.14, npm/pull-to-stream@0.1.1, npm/punycode@2.1.1, npm/qs@6.5.2, npm/readable-stream@2.3.7, npm/side-channel@1.0.4, npm/split2@2.2.0, npm/stream-to-pull-stream@1.7.3, npm/tar-stream@2.2.0, npm/through2@2.0.5, npm/tmp-promise@3.0.2, npm/typescript@3.9.9
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Alert | Package | Note | Source |
---|---|---|---|
Native code | npm/secp256k1@4.0.3 |
| |
Native code | npm/keccak@3.0.4 |
|
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of ecosystem/package-name@version
specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/secp256k1@4.0.3
@SocketSecurity ignore npm/keccak@3.0.4
Additional step that I initially missed. We need to update the internal type in the ABI from a uint8 to a uint256.
This subgraph can be used to monitor success of this fix: https://thegraph.com/hosted-service/subgraph/graph-buildersdao/uniswap-v3-polygon
New ipfs hash after ABI fix: QmeVmqBfgGLC8z5vAPUXgaktUocWEJctUxqG37qMaqRKcY
Builds to QmW4KFgDgFPmhPhaQB3yMVzxmm9wBJDuwkhSatgJGdjuVa
Link for testing: https://thegraph.com/explorer/subgraphs/3hCPRGf4z88VC5rsBKU5AA9FBBq5nF3jbKJG7VZCbhjm?view=Playground&chain=arbitrum-one
There was an indexing failure this morning on polygon due to a deployed ERC20 with an unreasonable
decimals()
value.In the currently utilized
graph-ts 0.20.0
, there is no type inference on making eth calls, sotry_decimals()
on line 79 oftoken.ts
will return a type ofany
. I have updated graph-ts to 0.32.0 which should resolve this. Additional documentation about the move from The Graph about breaking changes introduced in0.22.0
can be found hereMany nullability changes when attempting to load entities have been updated. Inside core, most can be enforced with
!
, in some places where values are expected, but not certain we useif(entity) {...}
.On my end, this builds to
Qmd85YGxUPbhg5jGWWqpXZpgU2SRsQbvUUbK532ZPRY591
using graph-cli versiongraph-cli/0.67.2