search

cgewecke / eth-gas-reporter

Gas usage per unit test. Average gas usage per method. A mocha reporter.
MIT License
603 stars 94 forks source link

Update package-lock.json file to automatically remove the vulnerability introduced in eth-gas-reporter #252

Closed paimon0715 closed 8 months ago

paimon0715 commented 3 years ago

Hi, @cgewecke, I have reported a vulnerability issue in package ethers.

As far as I am aware, vulnerability CVE-2020-28498 detected in package elliptic<6.5.4 is directly referenced by  ethers@4.0.48, on which your package eth-gas-reporter@0.2.22 directly depends. As such, this vulnerability can also affect eth-gas-reporter@0.2.22 via the following path: eth-gas-reporter@0.2.22 ➔ ethers@4.0.48 ➔ elliptic@6.5.3(vulnerable version)

Since ethers has released a new patched version ethers@4.0.49 to resolve this issue (ethers@4.0.49➔elliptic@6.5.4 (safe version)), then this vulnerability patch can be automatically propagated into your project only if you update your package-lock.json file (delete package-lock.json and re-execute npm install command): eth-gas-reporter@0.2.22 ➔ ethers@4.0.49 ➔ elliptic@6.5.4(vulnerability fix version).

A warm tip.^_^ Best regards, Paimon

cgewecke commented 8 months ago

Hi! eth-gas-reporter is being deprecated in favor of hardhat-gas-reporter.

The latest version at Hardhat has updated dependencies and only uses some ethersproject 5.7.0 sub-packages - this vuln is fixed.

https://github.com/cgewecke/hardhat-gas-reporter/releases/tag/v2.0.0