Open cgero-eth opened 1 month ago
Thanks for the snippet.
This was addressed when the exploit was announced in v6, but it certainly makes sense to port back into v5 as it is still widely used.
lol, just a merge need it on v5 ? please, resolve this, easy to close :D
It’s not really “easy to close”… The v5 branch is 2.5 years old; I’ve spent the last week carefully updating the tests (migrating from Goerli to Sepolia, redeploying contracts, etc), deployment scripts and other dev dependencies though and it is almost ready with the updated ws
package. :)
It still has 650k downloads per week though, so important not to bork and make sure the change is well tested. :)
Hey @ricmoo any status update here? We are also trying to patch this vulnerability in our codebase and would love to continue using your incredible ethers library!
Ethers Version
5.7.2
Search Terms
ws, vulnerability, DoS, v5
Describe the Problem
Ethers.js v5.7.2 depends on a vulnerable version of the
ws
package. The vulnerability allows DoS attack. Thews
package must be updated to version >= 8.17.1 to fix the vulnerability.The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
Code Snippet
From Dependabot:
Contract ABI
N/A
Errors
N/A
Environment
Ethereum (mainnet/ropsten/rinkeby/goerli), Altcoin - Please specify (e.g. Polygon), node.js (v12 or newer), Browser (Chrome, Safari, etc)
Environment (Other)
No response