Open renovate[bot] opened 4 months ago
socket-security[bot]
commented
4 months ago 👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎
This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.
openzeppelin-code[bot]
commented
4 months ago Generated at commit: d36d0eefaf6d24eb5ccdda820b8077bf0031e6d5
🚨 Report Summary
Severity Level Results Contracts Critical High Medium Low Note Total 1 2 0 8 28 39 Dependencies Critical High Medium Low Note Total 0 0 0 2 30 32
For more details view the full report in OpenZeppelin Code Inspector
socket-security[bot]
commented
3 months ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/body-parser@1.19.1 | network | +5 |
119 kB | dougwilson |
| npm/express@4.17.2 | environment, filesystem, network Transitive: eval | +8 |
478 kB | dougwilson |
| npm/send@0.17.2 | filesystem, network | +3 |
63.8 kB | dougwilson |
| npm/serve-static@1.14.2 | None | 0 |
24.9 kB | dougwilson |
| npm/web3@1.5.3 | Transitive: environment, eval, filesystem, network | +40 |
8.49 MB | spacesailor |
🚮 Removed packages: npm/accepts@1.3.8, npm/body-parser@1.20.1, npm/destroy@1.2.0, npm/express@4.18.2, npm/finalhandler@1.2.0, npm/negotiator@0.6.3, npm/on-finished@2.4.1, npm/send@0.18.0, npm/serve-static@1.15.0
soloseng
commented
1 month ago This is blocked by #76 due to node version incompatibilities.
This PR contains the following updates:
1.3.6->1.5.3Insecure Credential Storage in web3
GHSA-27v7-qhfv-rqq8
More information
#### Details All versions of `web3` are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. ##### Recommendation No fix is currently available. Consider using an alternative module until a fix is made available. #### Severity - CVSS Score: 3.3 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/ethereum/web3.js/issues/2739](https://togithub.com/ethereum/web3.js/issues/2739) - [https://github.com/ethereum/web3.js](https://togithub.com/ethereum/web3.js) - [https://snyk.io/vuln/SNYK-JS-WEB3-174533](https://snyk.io/vuln/SNYK-JS-WEB3-174533) - [https://www.npmjs.com/advisories/877](https://www.npmjs.com/advisories/877) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-27v7-qhfv-rqq8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
ChainSafe/web3.js (web3)
### [`v1.5.3`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#153) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.5.2...v1.5.3) ##### Fixed - Unable to send legacy transaction if network supported EIP-1559 ([#4277](https://togithub.com/ChainSafe/web3.js/issues/4277)) - Fixed bug in sending transaction with providers not support "newBlockHeaders" event ([#3891](https://togithub.com/ChainSafe/web3.js/issues/3891)) ##### Changed - ethers from 5.1.4 to 5.4.4 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - karma from 5.2.3 to 6.3.4 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - lerna from 3.22.1 to 4.0.0 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - Dropped build tests in CI for Node v8 and v10, and added support for Node v14 ([#4231](https://togithub.com/ChainSafe/web3.js/issues/4231)) - Change default value for `maxPriorityFeePerGas` from `1 Gwei` to `2.5 Gwei` ([#4284](https://togithub.com/ChainSafe/web3.js/issues/4284)) - Fixed bug in signTransaction ([#4295](https://togithub.com/ChainSafe/web3.js/issues/4295)) ### [`v1.5.2`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#152) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.5.1...v1.5.2) ##### Fixed - Remove transaction `type` defaulting for `eth.sendTransaction`, `eth.sendRawTransaction` ([#4241](https://togithub.com/ChainSafe/web3.js/issues/4241)) - `type: 0x0` was being added to legacy transaction when using `eth.signTransaction` ([#4241](https://togithub.com/ChainSafe/web3.js/issues/4241)) ### [`v1.5.1`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#151) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.5.0...v1.5.1) ##### Added - `maxPriorityFeePerGas` and `maxFeePerGas` now included in `_txInputFormatter` ([#4217](https://togithub.com/ChainSafe/web3.js/issues/4217)) - If `maxPriorityFeePerGas` of `maxFeePerGas` present `_txInputFormatter` deletes `tx.gasPrice` (fixes [#4211](https://togithub.com/ChainSafe/web3.js/issues/4211)) ([#4217](https://togithub.com/ChainSafe/web3.js/issues/4217)) - Add block tag support (e.g. `latest`, `pending`, `earliest`) to `getFeeHistory` ([#4224](https://togithub.com/ChainSafe/web3.js/issues/4224)) - Support for EIP-1559 to `web3.eth.sendTransaction` ([#4220](https://togithub.com/ChainSafe/web3.js/issues/4220)) ### [`v1.5.0`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#150) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.4.0...v1.5.0) ##### Added - London transaction support ([#4155](https://togithub.com/ChainSafe/web3.js/issues/4155)) - RPC support `eth_feehistory` call ([#4191](https://togithub.com/ChainSafe/web3.js/issues/4191)) - Add `toNumber` method to `web3.utils` ([#4191](https://togithub.com/ChainSafe/web3.js/issues/4191)) ##### Changed - Grammar fix ([#4088](https://togithub.com/ChainSafe/web3.js/issues/4088)) and updated Swarm ([#4151](https://togithub.com/ChainSafe/web3.js/issues/4151))and Whisper doc links ([#4170](https://togithub.com/ChainSafe/web3.js/issues/4170)) - Removed deprecation notice for HttpProvider ([#4008](https://togithub.com/ChainSafe/web3.js/issues/4008)) - Nonce added to send options in documentation and types ([#4052](https://togithub.com/ChainSafe/web3.js/issues/4052)) - Updated Solidity example to modern syntax ([#4147](https://togithub.com/ChainSafe/web3.js/issues/4147)) - Changing web3 connection example from lets to const ([#3967](https://togithub.com/ChainSafe/web3.js/issues/3967)) - Updated the documentation for the transaction object to include EIP-2718 and EIP-1559 options ([#4188](https://togithub.com/ChainSafe/web3.js/issues/4188)) ### [`v1.4.0`](https://togithub.com/ChainSafe/web3.js/blob/HEAD/CHANGELOG.md#140) [Compare Source](https://togithub.com/ChainSafe/web3.js/compare/v1.3.6...v1.4.0) ##### Added - Berlin Transaction Support ([#4083](https://togithub.com/ChainSafe/web3.js/issues/4083)) - When signing a transaction, common object now defaults to berlin instead of petersburg ##### Changed - Changed Geth Docker verision from `stable` to `1.10.3` in `e2e.geth.instamine.sh` and `scripts/e2e.geth.automine.sh` ([#4154](https://togithub.com/ChainSafe/web3.js/issues/4154))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.