build(deps-dev): bump truffle from 5.2.4 to 5.4.29

[dependabot[bot]]

Bumps truffle from 5.2.4 to 5.4.29.

Release notes

Sourced from truffle's releases.

v5.4.29 – Chocolate Fountain

Hello all! We've got a batch of bug fixes 🕷 for you this week!

Firstly, we've made it so that Truffle Contract will now ignore any default values for gasPrice ⛽, maxFeePerGas, or maxPriorityFeePerGas coming from the Truffle config when making read-only calls (as opposed to transactions). Many networks have problems with such calls when these options are set, with the result that people who set defaults in their config for use with transactions would encounter problems when they then tried to make these calls ☎ instead. Now read-only calls will ignore these defaults, which should resolve these problems; note that you can still explicitly set these parameters if you choose to do so. Thanks especially to @​hellwolf for getting the ball rolling on this. 🐺

The other set of changes this week is to improve the reliability of truffle debug --fetch-external 🐶, or @truffle/fetch-and-compile, when fetching verified sources from Sourcify. There were previously some errors in how Truffle handled this, but now these have been fixed and we should be able to get sources from them more reliably.

That's all for this week... but we'll be back next week with something you've been waiting for quite a while! 🎁

How to upgrade

We recommend upgrading to the latest version of Truffle by running:

npm uninstall -g truffle
npm install -g truffle

Changelog

Bug fixes

• Ignore config gas prices when making a call (#4606 by @​haltman-at)
• Remove compilationTarget field from metadata from Sourcify (#4612 by @​haltman-at)
• Use Unicode matching in Sourcify replacement (#4613 by @​haltman-at)
• Replace special characters with underscores when fetching from Sourcify (#4610 by @​haltman-at)

Internal improvements

• Fix debugger test sourcemap issues (#4611 by @​michaeljohnbennett)

v5.4.28 – The colors, Duke, the colors!

Oh golly gee! Here's a Sunday hotfix for you to address a security concern raised by several people. ⚠️ We recommend upgrading to this version of Truffle as soon as possible. The colors package has suffered a software supply-chain attack and certain versions of this package (now unpublished) cause a Denial-of-Service (DoS) as soon as the module is loaded. As best we can tell, and as explained by this article, your private keys are safe and the extent of this issue lies with the package consuming system resources unduly. Nonetheless, upgrade as soon as possible to avoid this vulnerability, which prevents you from using Truffle.

Thanks to @​benoitrongeard @​Juan-de-Costa-Rica @​devdattakhoche @​JoepdeJong @​neurosnap @​plainfatboy and possibly others who have quickly raised the issue with us so that we could address it!

This release also contains a few other merged changes, including adding a helpful warning in some expected failure conditions when running truffle debug. Check the changelog below for the full list.

Thank you! Please let us know if you run into any further trouble.

How to upgrade

We recommend upgrading to the latest version of Truffle by running:

npm uninstall -g truffle
npm install -g truffle

Changelog

... (truncated)

Commits

• 79d1cc2 Publish
• cbbdad4 Publish
• 615e198 Publish
• 4d587fc Publish
• 6536867 Publish
• 23ec13e Use webpack from workspace node_modules for building Truffle
• d004215 root: upgrade and configure eslint*
• 8b02341 Fix problem with webpack and rx-lite-aggregates
• 90ef6d9 root: cleanup husky, prettier, lint-staged
• b381167 Publish
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Dependabot tried to add @artem-brazhnikov as a reviewer to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/rsksmart/rif-marketplace-storage/pulls/342/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the rsksmart/rif-marketplace-storage repository. // See: https://docs.github.com/rest/reference/pulls#request-reviewers-for-a-pull-request

[dependabot[bot]]

Superseded by #346.