0xleastwood
commented
2 years ago Curious to hear your thoughts on this @0age. Just checking this was missed or if it was instead acknowledged as a non-issue.
Closed code423n4 closed 2 years ago
0xleastwood
commented
2 years ago Curious to hear your thoughts on this @0age. Just checking this was missed or if it was instead acknowledged as a non-issue.
HardlyDifficult
commented
2 years ago The feedback here is about the dev environment. It's not helpful to the contest's goal of securing and improving the contracts. Closing this as invalid.
GalloDaSballo
commented
2 years ago I believe this to be invalid, as no vulnerability for the code was shown as a consequence of the advisory from npm
Project dependencies contain vulnerabilities - Insecure Credential Storage in web3
Description Although dependency scans did not yield a direct threat to the Seaport codebase, yarn audit identified a dependency with a known vulnerability. Due to the sensitivity of the deployment code and its environment, it is important to ensure dependencies are not malicious. Problems with dependencies in the development pipeline could have a significant effect on the Seaport system as a whole. The yarn audit output detailing the vulnerability is provided below: (I can't insert/attach the file) Package │ web3
│ Patched in │ No patch available
│ Dependency of │ ethereum-waffle
│ Path │ ethereum-waffle > @ethereum-waffle/chai >
│ │ @ethereum-waffle/provider > ganache-core > web3
Exploit Scenario Alice installs the Consideration dependencies on a clean machine. Unbeknownst to Alice, a dependency of the project contains an exploitable high-severity bug that could lead to the disclosure of sensitive information. Alice subsequently uses the dependency, disclosing sensitive information to an unknown actor.
Recommendations Short term, use yarn audit to ensure dependencies are up to date. Several node modules have been documented as malicious because they execute malicious code when installing dependencies to projects. Keep modules current and verify their integrity after installation. Long term, consider integrating automated dependency auditing into the development workflow. If a dependency cannot be updated when a vulnerability is disclosed, ensure that the Seaport codebase does not use and is not affected by the vulnerable functionality of the dependency
More info: https://www.npmjs.com/advisories/1067669