Open renovate[bot] opened 3 months ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
react-celo | ❌ Failed (Inspect) | Jun 18, 2024 8:58pm |
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|
npm/@ethereumjs/common@2.6.5 | None | +2 |
2.88 MB | holgerd77 |
npm/@ethereumjs/rlp@4.0.1 | None | 0 |
51.6 kB | holgerd77 |
npm/@ethereumjs/tx@3.5.2 | None | 0 |
431 kB | holgerd77 |
npm/@ethereumjs/util@8.1.0 | Transitive: network | +5 |
886 kB | holgerd77 |
npm/@noble/curves@1.4.0 | None | 0 |
1.39 MB | paulmillr |
npm/@noble/hashes@1.4.0 | None | 0 |
773 kB | paulmillr |
npm/web3@1.5.3 | Transitive: environment, eval, filesystem, network, shell, unsafe | +163 |
18 MB | spacesailor |
🚮 Removed packages: npm/@ethereumjs/common@2.5.0, npm/@ethereumjs/tx@3.3.2
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎
This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.
This PR contains the following updates:
1.8.1
->1.8.2
1.3.6
->1.5.3
Insecure Credential Storage in web3
GHSA-27v7-qhfv-rqq8
More information
#### Details All versions of `web3` are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. ##### Recommendation No fix is currently available. Consider using an alternative module until a fix is made available. #### Severity - CVSS Score: 3.3 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/ethereum/web3.js/issues/2739](https://togithub.com/ethereum/web3.js/issues/2739) - [https://github.com/ethereum/web3.js](https://togithub.com/ethereum/web3.js) - [https://snyk.io/vuln/SNYK-JS-WEB3-174533](https://snyk.io/vuln/SNYK-JS-WEB3-174533) - [https://www.npmjs.com/advisories/877](https://www.npmjs.com/advisories/877) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-27v7-qhfv-rqq8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
ChainSafe/web3.js (web3)
### [`v1.8.2`](https://togithub.com/web3/web3.js/releases/tag/v1.8.2) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.8.1...v1.8.2) ##### Changed - Updated Webpack 4 to Webpack 5, more details at ([#5629](https://togithub.com/ChainSafe/web3.js/issues/5629)) - `crypto-browserify` module is now used only in webpack builds for polyfilling browsers ([#5629](https://togithub.com/ChainSafe/web3.js/issues/5629)) - Updated `ethereumjs-util` to `7.1.5` ([#5629](https://togithub.com/ChainSafe/web3.js/issues/5629)) - Updated `lerna` 4 to version 6 ([#5680](https://togithub.com/ChainSafe/web3.js/issues/5680)) - Bump utils 0.12.0 to 0.12.5 ([#5691](https://togithub.com/ChainSafe/web3.js/issues/5691)) ##### Fixed - Fixed types for `web3.utils._jsonInterfaceMethodToString` ([#5550](https://togithub.com/ChainSafe/web3.js/issues/5550)) - Fixed Next.js builds failing on Node.js v16, Abortcontroller added if it doesn't exist globally ([#5601](https://togithub.com/ChainSafe/web3.js/issues/5601)) - Builds fixed by updating all typescript versions to 4.1 ([#5675](https://togithub.com/ChainSafe/web3.js/issues/5675)) ##### Removed - `clean-webpack-plugin` has been removed from dev-dependencies ([#5629](https://togithub.com/ChainSafe/web3.js/issues/5629)) ##### Added - `https-browserify`, `process`, `stream-browserify`, `stream-http`, `crypto-browserify` added to dev-dependencies for polyfilling ([#5629](https://togithub.com/ChainSafe/web3.js/issues/5629)) - Add `readable-stream` to dev-dependancies for webpack ([#5629](https://togithub.com/ChainSafe/web3.js/issues/5629)) ##### Security - `npm audit fix` for libraries update ([#5726](https://togithub.com/ChainSafe/web3.js/issues/5726))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.