A Symbolic Ethereum Virtual Machine (EVM) bytecode interpreter, parser and decompiler, along with several other utils for programmatically extracting information from EVM bytecode.
One of the solc compiler versions used for testing, v0.5.5, depends on "yargs": "^11.0.0. This indirect dependency is vulnerable to Prototype Pollution https://security.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381. This vulnerability has a moderate severity and it is not actually used. It is used by solc to parse CLI arguments. So it does not represent a real issue.
However, the best solution would be to skip installing this package to avoid any issue. One solution could be to fork solc@0.5.5 and remove the unnecessary dependency.
One of the
solc
compiler versions used for testing,v0.5.5
, depends on"yargs": "^11.0.0
. This indirect dependency is vulnerable to Prototype Pollution https://security.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381. This vulnerability has a moderate severity and it is not actually used. It is used bysolc
to parse CLI arguments. So it does not represent a real issue.However, the best solution would be to skip installing this package to avoid any issue. One solution could be to fork
solc@0.5.5
and remove the unnecessary dependency.Note that https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/ is not an option, given that ideally we would like to remove the indirect dependency altogether. And the command
yarn patch
is only available in Yarn v2.