chore(deps): update dependency @openzeppelin/contracts to v4.9.6 [security]

renovate[bot] commented 5 months ago

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@openzeppelin/contracts (source)	`4.9.5` -> `4.9.6`

GitHub Vulnerability Alerts

CVE-2024-27094

Impact

The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer.

Although the encode function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios:

A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.
The memory pointer is set to a non-empty memory location before allocating the input.

Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker.

Patches

Upgrade to 5.0.2 or 4.9.6.

References

This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@rileyholterhus on X)

Release Notes

OpenZeppelin/openzeppelin-contracts (@openzeppelin/contracts)

### [`v4.9.6`](https://togithub.com/OpenZeppelin/openzeppelin-contracts/blob/HEAD/CHANGELOG.md#496-2024-02-29) [Compare Source](https://togithub.com/OpenZeppelin/openzeppelin-contracts/compare/v4.9.5...v4.9.6) - `Base64`: Fix issue where dirty memory located just after the input buffer is affecting the result. ([#4929](https://togithub.com/OpenZeppelin/openzeppelin-contracts/pull/4929))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

vercel[bot] commented 5 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nft-app	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Mar 20, 2024 4:15am

codesandbox[bot] commented 5 months ago

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders
Open Preview

changeset-bot[bot] commented 5 months ago

⚠️ No Changeset found

Latest commit: d6f89e6a556122ef786fe1e57c351f3c0ea79820

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

socket-security[bot] commented 5 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@openzeppelin/contracts@4.9.6	None	`0`	2.02 MB	frangio

🚮 Removed packages: npm/@openzeppelin/contracts@4.9.5

View full report↗︎

socket-security[bot] commented 5 months ago

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

jellydn / nft-app