renovate[bot]
commented
3 months ago ⚠️ Artifact update problem
Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: packages/protocol/package-lock.json
npm WARN deprecated typechain-target-truffle@1.0.2: For TypeChain 2.x use @typechain/truffle-v4 or v5
npm WARN deprecated ethereumjs-vm@4.2.0: New package name format for new versions: @ethereumjs/vm. Please update.
npm WARN deprecated truffle-contract@4.0.31: WARNING: This package has been renamed to @truffle/contract.
npm WARN deprecated @openzeppelin/upgrades@2.8.0: The OpenZeppelin SDK is no longer being developed. For smart contract upgrades check out the OpenZeppelin Upgrades Plugins. https://zpl.in/upgrades-plugins
npm WARN deprecated truffle-resolver@5.0.16: WARNING: This package has been renamed to @truffle/resolver.
npm WARN deprecated truffle-artifactor@4.0.30: WARNING: This package has been renamed to @truffle/artifactor.
npm WARN deprecated ethereumjs-block@2.2.2: New package name format for new versions: @ethereumjs/block. Please update.
npm WARN deprecated ethereumjs-account@3.0.0: Please use Util.Account class found on package ethereumjs-util@^7.0.6 https://github.com/ethereumjs/ethereumjs-util/releases/tag/v7.0.6
npm WARN deprecated ethereumjs-blockchain@4.0.4: New package name format for new versions: @ethereumjs/blockchain. Please update.
npm WARN deprecated ethereumjs-tx@2.1.2: New package name format for new versions: @ethereumjs/tx. Please update.
npm WARN deprecated ethereumjs-common@1.5.2: New package name format for new versions: @ethereumjs/common. Please update.
npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated @truffle/config@1.3.61: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/error@0.0.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/contract-sources@0.1.12: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/external-compile@1.0.36: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/expect@0.0.12: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/artifactor@4.0.199: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated mythxjs@1.3.13: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/compile-vyper@1.0.71: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/resolver@5.1.12: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated @truffle/contract@4.6.31: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @truffle/error@0.2.2: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/expect@0.0.15: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/contract-schema@3.4.16: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/expect@0.0.13: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/provider@0.3.13: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/events@0.1.25: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/compile-solidity@4.3.22: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/provisioner@0.2.84: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/interface-adapter@0.5.37: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/blockchain-utils@0.1.9: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/debug-utils@6.0.57: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated uuid@2.0.1: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated @truffle/error@0.0.11: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/spinners@0.2.5: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/dashboard-message-bus-client@0.1.12: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/compile-common@0.3.12: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @ensdomains/resolver@0.2.4: Please use @ensdomains/ens-contracts
npm WARN deprecated @ensdomains/ens@0.4.5: Please use @ensdomains/ens-contracts
npm WARN deprecated @truffle/codec@0.17.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.
npm WARN deprecated @truffle/compile-common@0.9.8: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm WARN deprecated @truffle/promise-tracker@0.1.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated glob@7.1.6: Glob versions prior to v9 are no longer supported
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated @truffle/dashboard-message-bus-common@0.1.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @truffle/abi-utils@1.0.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated fsevents@2.1.3: "Please update to latest v2.3 or v2.2"
npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t https://github.com/celo-org/truffle-plugin-blockscout-verify.git
npm ERR!
npm ERR! remote: Support for password authentication was removed on August 13, 2021.
npm ERR! remote: Please see https://docs.github.com/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.
npm ERR! fatal: Authentication failed for 'https://github.com/celo-org/truffle-plugin-blockscout-verify.git/'
npm ERR!
npm ERR! exited with error code: 128
npm ERR! A complete log of this run can be found in:
npm ERR! /tmp/renovate/cache/others/npm/_logs/2024-06-19T16_52_17_845Z-debug.log
File name: packages/cli/npm-shrinkwrap.json
npm WARN deprecated @types/web3@1.2.2: This is a stub types definition. web3 provides its own type definitions, so you do not need this installed.
npm WARN deprecated @oclif/dev-cli@1.26.10: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/config@1.18.17: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/command@1.8.36: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/errors@1.3.6: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux@5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/config@1.18.2: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/errors@1.3.5: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/help@1.0.15: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @oclif/parser@3.8.17: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated @oclif/config@1.18.16: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @celo/utils@1.3.1-dev.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.
npm ERR! notarget
npm ERR! notarget It was specified as a dependency of 'cli'
npm ERR! notarget
npm ERR! A complete log of this run can be found in:
npm ERR! /tmp/renovate/cache/others/npm/_logs/2024-06-19T16_52_23_010Z-debug.log
File name: packages/attestation-service/package-lock.json
npm WARN deprecated @types/dotenv@8.2.0: This is a stub types definition. dotenv provides its own type definitions, so you do not need this installed.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated sequelize@5.21.5: Please update to v6 or higher! A migration guide can be found here: https://sequelize.org/v6/manual/upgrade-to-v6.html
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated q@2.0.3: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm WARN deprecated
npm WARN deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated fsevents@1.2.13: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2
npm WARN deprecated uuid@2.0.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated npmlog@4.1.2: This package is no longer supported.
npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated figgy-pudding@3.5.2: This module is no longer supported.
npm WARN deprecated move-concurrently@1.0.1: This package is no longer supported.
npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
npm WARN deprecated osenv@0.1.5: This package is no longer supported.
npm WARN deprecated are-we-there-yet@1.1.7: This package is no longer supported.
npm WARN deprecated gauge@2.7.4: This package is no longer supported.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated fs-write-stream-atomic@1.0.10: This package is no longer supported.
npm WARN deprecated copy-concurrently@1.0.5: This package is no longer supported.
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @celo/keystores@1.3.1-dev.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.
npm ERR! notarget
npm ERR! notarget It was specified as a dependency of 'attestation-service'
npm ERR! notarget
npm ERR! A complete log of this run can be found in:
npm ERR! /tmp/renovate/cache/others/npm/_logs/2024-06-19T16_52_31_879Z-debug.log
socket-security[bot]
This PR contains the following updates:
1.3.6->1.5.3Insecure Credential Storage in web3
GHSA-27v7-qhfv-rqq8
More information
#### Details All versions of `web3` are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. ##### Recommendation No fix is currently available. Consider using an alternative module until a fix is made available. #### Severity - CVSS Score: 3.3 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/ethereum/web3.js/issues/2739](https://togithub.com/ethereum/web3.js/issues/2739) - [https://github.com/ethereum/web3.js](https://togithub.com/ethereum/web3.js) - [https://snyk.io/vuln/SNYK-JS-WEB3-174533](https://snyk.io/vuln/SNYK-JS-WEB3-174533) - [https://www.npmjs.com/advisories/877](https://www.npmjs.com/advisories/877) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-27v7-qhfv-rqq8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
ChainSafe/web3.js (web3)
### [`v1.5.3`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#153) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.5.2...v1.5.3) ##### Fixed - Unable to send legacy transaction if network supported EIP-1559 ([#4277](https://togithub.com/ChainSafe/web3.js/issues/4277)) - Fixed bug in sending transaction with providers not support "newBlockHeaders" event ([#3891](https://togithub.com/ChainSafe/web3.js/issues/3891)) ##### Changed - ethers from 5.1.4 to 5.4.4 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - karma from 5.2.3 to 6.3.4 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - lerna from 3.22.1 to 4.0.0 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - Dropped build tests in CI for Node v8 and v10, and added support for Node v14 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - Change default value for `maxPriorityFeePerGas` from `1 Gwei` to `2.5 Gwei` ([#4284](https://togithub.com/ChainSafe/web3.js/issues/4284)) - Fixed bug in signTransaction ([#4295](https://togithub.com/ChainSafe/web3.js/issues/4295)) ### [`v1.5.2`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#152) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.5.1...v1.5.2) ##### Fixed - Remove transaction `type` defaulting for `eth.sendTransaction`, `eth.sendRawTransaction` ([#4241](https://togithub.com/ChainSafe/web3.js/issues/4241)) - `type: 0x0` was being added to legacy transaction when using `eth.signTransaction` ([#4241](https://togithub.com/ChainSafe/web3.js/issues/4241)) ### [`v1.5.1`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#151) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.5.0...v1.5.1) ##### Added - `maxPriorityFeePerGas` and `maxFeePerGas` now included in `_txInputFormatter` ([#4217](https://togithub.com/ChainSafe/web3.js/issues/4217)) - If `maxPriorityFeePerGas` of `maxFeePerGas` present `_txInputFormatter` deletes `tx.gasPrice` (fixes [#4211](https://togithub.com/ChainSafe/web3.js/issues/4211)) ([#4217](https://togithub.com/ChainSafe/web3.js/issues/4217)) - Add block tag support (e.g. `latest`, `pending`, `earliest`) to `getFeeHistory` ([#4224](https://togithub.com/ChainSafe/web3.js/issues/4224)) - Support for EIP-1559 to `web3.eth.sendTransaction` ([#4220](https://togithub.com/ChainSafe/web3.js/issues/4220)) ### [`v1.5.0`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#150) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.4.0...v1.5.0) ##### Added - London transaction support ([#4155](https://togithub.com/ChainSafe/web3.js/issues/4155)) - RPC support `eth_feehistory` call ([#4191](https://togithub.com/ChainSafe/web3.js/issues/4191)) - Add `toNumber` method to `web3.utils` ([#4191](https://togithub.com/ChainSafe/web3.js/issues/4191)) ##### Changed - Grammar fix ([#4088](https://togithub.com/ChainSafe/web3.js/issues/4088)) and updated Swarm ([#4151](https://togithub.com/ChainSafe/web3.js/issues/4151))and Whisper doc links ([#4170](https://togithub.com/ChainSafe/web3.js/issues/4170)) - Removed deprecation notice for HttpProvider ([#4008](https://togithub.com/ChainSafe/web3.js/issues/4008)) - Nonce added to send options in documentation and types ([#4052](https://togithub.com/ChainSafe/web3.js/issues/4052)) - Updated Solidity example to modern syntax ([#4147](https://togithub.com/ChainSafe/web3.js/issues/4147)) - Changing web3 connection example from lets to const ([#3967](https://togithub.com/ChainSafe/web3.js/issues/3967)) - Updated the documentation for the transaction object to include EIP-2718 and EIP-1559 options ([#4188](https://togithub.com/ChainSafe/web3.js/issues/4188)) ### [`v1.4.0`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#140) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.3.6...v1.4.0) ##### Added - Berlin Transaction Support ([#4083](https://togithub.com/ChainSafe/web3.js/issues/4083)) - When signing a transaction, common object now defaults to berlin instead of petersburg ##### Changed - Changed Geth Docker verision from `stable` to `1.10.3` in `e2e.geth.instamine.sh` and `scripts/e2e.geth.automine.sh` ([#4154](https://togithub.com/ChainSafe/web3.js/issues/4154))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.