Closed bengobeil closed 3 weeks ago
just have one question in the code pertaining to behavior for empty rpcUrl now that web3auth does not allow undefined
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Alert | Package | Note | Source |
---|---|---|---|
Protestware/Troll package | npm/es5-ext@0.10.62 |
| |
Install scripts | npm/es5-ext@0.10.62 |
| |
Install scripts | npm/esbuild@0.18.20 |
| |
Install scripts | npm/svelte-preprocess@5.0.1 |
| |
Install scripts | npm/@sveltejs/kit@1.0.0-next.589 |
| |
Install scripts | npm/esbuild@0.21.5 |
| |
Install scripts | npm/secp256k1@3.8.0 |
| |
Install scripts | npm/keccak@1.4.0 |
|
This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.
Consider that consuming this package my come along with functionality unrelated to its primary purpose.
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of ecosystem/package-name@version
specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/es5-ext@0.10.62
@SocketSecurity ignore npm/esbuild@0.18.20
@SocketSecurity ignore npm/svelte-preprocess@5.0.1
@SocketSecurity ignore npm/@sveltejs/kit@1.0.0-next.589
@SocketSecurity ignore npm/esbuild@0.21.5
@SocketSecurity ignore npm/secp256k1@3.8.0
@SocketSecurity ignore npm/keccak@1.4.0
tested locally within our dapp
@Adamj1232 ready for review! (can't add a reviewer it seems)
@Adamj1232 ready for re-review, rpcUrl is required for web3auth
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@ampproject/remapping@2.2.1, npm/@babel/code-frame@7.12.11, npm/@babel/helper-annotate-as-pure@7.22.5, npm/@babel/helper-environment-visitor@7.22.20, npm/@babel/helper-module-imports@7.22.15, npm/@babel/helper-validator-option@7.22.15, npm/@babel/parser@7.23.0, npm/@jridgewell/gen-mapping@0.3.3, npm/@jridgewell/resolve-uri@3.1.1, npm/@protobufjs/aspromise@1.1.2, npm/@protobufjs/base64@1.1.2, npm/@protobufjs/codegen@2.0.4, npm/@protobufjs/eventemitter@1.1.0, npm/@protobufjs/fetch@1.1.0, npm/@protobufjs/float@1.0.2, npm/@protobufjs/path@1.1.2, npm/@protobufjs/pool@1.1.0, npm/@protobufjs/utf8@1.1.0, npm/@types/glob@7.2.0, npm/@types/retry@0.12.1, npm/@types/ws@7.4.7, npm/accepts@1.3.8, npm/acorn@7.4.1, npm/agent-base@6.0.2, npm/aggregate-error@3.1.0, npm/ansi-html-community@0.0.8, npm/any-promise@1.3.0, npm/anymatch@3.1.3, npm/arg@4.1.3, npm/array-flatten@1.1.1, npm/assert-plus@1.0.0, npm/batch@0.6.1, npm/big-integer@1.6.51, npm/bluebird@3.7.2, npm/browser-process-hrtime@1.0.0, npm/bytes@3.1.2, npm/call-bind@1.0.2, npm/caniuse-lite@1.0.30001549, npm/combined-stream@1.0.8, npm/commander@2.20.3, npm/compressible@2.0.18, npm/console-control-strings@1.1.0, npm/core-util-is@1.0.2, npm/create-require@1.1.1, npm/cssom@0.3.8, npm/default-gateway@6.0.3, npm/depd@1.1.2, npm/enhanced-resolve@5.17.0, npm/escape-string-regexp@1.0.5, npm/esprima@4.0.1, npm/ethjs-unit@0.1.6, npm/extsprintf@1.3.0, npm/fast-safe-stringify@2.1.1, npm/get-intrinsic@1.1.1, npm/global@4.4.0, npm/has-symbols@1.0.2, npm/hdkey@2.0.1, npm/html-entities@2.3.3, npm/iconv-lite@0.4.24, npm/icss-utils@5.1.0, npm/ipaddr.js@1.9.1, npm/is-callable@1.2.4, npm/is-docker@2.2.1, npm/is-regex@1.1.4, npm/is-string@1.0.7, npm/is-symbol@1.0.4, npm/json-parse-even-better-errors@2.3.1, npm/json-stringify-safe@5.0.1, npm/json5@2.2.3, npm/keccak@3.0.2, npm/lodash@4.17.21, npm/mime-db@1.52.0, npm/mime-types@2.1.35, npm/minimist@1.2.8, npm/ms@2.1.3, npm/nanoid@3.3.6, npm/node-forge@1.3.1, npm/node-releases@2.0.13, npm/object-assign@4.1.1, npm/object-is@1.1.5, npm/open@8.4.2, npm/parseurl@1.3.3, npm/path-key@2.0.1, npm/postcss-value-parser@4.2.0, npm/postcss@8.4.31, npm/process@0.11.10, npm/range-parser@1.2.1, npm/readable-stream@3.6.0, npm/redis-errors@1.2.0, npm/regenerator-runtime@0.14.0, npm/safe-stable-stringify@2.4.3, npm/safer-buffer@2.1.2, npm/semver@5.7.1, npm/signal-exit@3.0.7, npm/source-map@0.5.7, npm/statuses@1.5.0, npm/tapable@2.2.1, npm/through2@2.0.5, npm/through@2.3.8, npm/tough-cookie@2.5.0, npm/tweetnacl@0.14.5, npm/unpipe@1.0.0, npm/uuid@8.3.2, npm/vary@1.1.2, npm/whatwg-mimetype@2.3.0, npm/xhr-request@1.1.0, npm/xhr@2.6.0, npm/xtend@4.0.2, npm/yallist@3.1.1
yarn check-all passes locally @Adamj1232 one check is failing but from what I can see it originates from another merged PR
@bengobeil Im getting this error running the alpha branch - does privateKeyProvider
need to be added to web3Auth init props?
@bengobeil Im getting this error running the alpha branch - does
privateKeyProvider
need to be added to web3Auth init props?
Yes, looks like this when I initialize it
@bengobeil Im getting this error running the alpha branch - does
privateKeyProvider
need to be added to web3Auth init props?Yes, looks like this when I initialize it
from package @web3auth/ethereum-provider
@bengobeil Ok well I will need to revert this merge as it doesnt look like it was tested with the internal demo app or updated for the necessary props
@Adamj1232 OK, I tried using the demo app with the current version (without my changes) and it didn't seem to work either. I think there is a react dependency.
I think the same props in a react app and it worked (the demo is with svelte).
As for the new props, how do you want to handle that?
@bengobeil new props will need to be added to the Web3AuthModuleInitOptions
type here - https://github.com/blocknative/web3-onboard/blob/4d47a5c8f1cb69ae335653ef63066823341a4463/packages/web3auth/src/index.ts#L11
Then after checking with the internal svelte demo that it works we can test again. If there is a react dependency then it may need to be added to the web3auth package.json - possibly as a peer-dep depending on how its setup
@Adamj1232 it seems privateKeyProvider
is already in the props as part of Web3AuthOptions
you should get a compiler error if it's not present
I will however try to get it working with the demo
Description
resolve #2056
PLEASE NOTE- Checklist must be complete prior to review.
Checklist
package.json
of the package you have made changes in following semantic versioning and using alpha release taggingyarn check-all
to confirm there are not any associated errorsDocs Checklist
docs/package.json
file (if applicable)If this PR includes changes to add an injected wallet or SDK wallet module:
Please complete the following using the internal demo package. To run this demo use the command
yarn && yarn dev
to get the project running athttp://localhost:8080/
Tests with demo app (injected)
Tests with demo app (SDK)