search

acuarica / evm

A Symbolic Ethereum Virtual Machine (EVM) bytecode interpreter, parser and decompiler, along with several other utils for programmatically extracting information from EVM bytecode.
https://acuarica.github.io/evm/
MIT License
46 stars 5 forks source link

Remove `yargs@11` indirect dependency #40

Closed acuarica closed 9 months ago

acuarica commented 1 year ago

One of the solc compiler versions used for testing, v0.5.5, depends on "yargs": "^11.0.0. This indirect dependency is vulnerable to Prototype Pollution https://security.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381. This vulnerability has a moderate severity and it is not actually used. It is used by solc to parse CLI arguments. So it does not represent a real issue.

However, the best solution would be to skip installing this package to avoid any issue. One solution could be to fork solc@0.5.5 and remove the unnecessary dependency.

Note that https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/ is not an option, given that ideally we would like to remove the indirect dependency altogether. And the command yarn patch is only available in Yarn v2.

acuarica commented 9 months ago

solc v0.5.5 removed in ec2b097b8bbd704cd22656500dd701fb0f4374a6