Package Vulnerability

[DmytroShalaiev]

tough-cookie (package.json) 2.5.0 . CVE-2023-26136 https://avd.aquasec.com/nvd/cve-2023-26136
tough-cookie: prototype pollution in cookie memstore,

Fixed in 4.1.3

[dasanra]

Thank you for your report.

We are currently working to remove web3 v1 dependency that will get rid of those unmaintained libs. In any case the protocol-kit is not affected as it doesn't make use of the Swarm network.

[DmytroShalaiev]

Thanks

[andrewkmin]

Hi there, any update on moving off of web3 v1? There is a vulnerability in web3-utils < v4.2.1. However, here's the dependency tree:

@safe-global/protocol-kit@3.0.1 > web3@1.10.4 > web3-core@1.10.4 > web3-core-helpers@1.10.4 > web3-eth-iban@1.10.4 > web3-utils@1.10.4

meaning typechecks would fail with this combination of versions.

Would appreciate an update, thanks!

[dasanra]

@andrewkmin Thank you for sharing this. It will be our main focus until we get rid of it.

[DmytroShalaiev]

Hello, are there any updates?

[dasanra]

@DmytroShalaiev we are currently working on a big refactor in which we will get rid of web3 v1

https://github.com/safe-global/safe-core-sdk/pull/770

[DmytroShalaiev]

Thanks I will follow updates

[DmytroShalaiev]

@dasanra https://github.com/safe-global/safe-core-sdk/pull/770 merged, is it already released? If yes - new tags are still vulnerable. If no - maybe you can share ~ due date.

[dasanra]

@DmytroShalaiev we are preparing the release yet, we will publish the new version soon. There will be breaking changes affecting some of the kits, we are finishing the migration guides before publishing.

[DmytroShalaiev]

Thanks, will be waiting

[dasanra]

@DmytroShalaiev latest published version should solve all the mentioned vulnerabilities

https://github.com/safe-global/safe-core-sdk/releases/tag/r40

[DmytroShalaiev]

Thanks I will upgrade and check

[dasanra]

Closing because the vulnerable version is not part of the repo anymore.

[DmytroShalaiev]

Thanks you