Closed DmytroShalaiev closed 2 months ago
Thank you for your report.
We are currently working to remove web3 v1 dependency that will get rid of those unmaintained libs. In any case the protocol-kit is not affected as it doesn't make use of the Swarm network.
Thanks
Hi there, any update on moving off of web3 v1? There is a vulnerability in web3-utils < v4.2.1. However, here's the dependency tree:
@safe-global/protocol-kit@3.0.1 > web3@1.10.4 > web3-core@1.10.4 > web3-core-helpers@1.10.4 > web3-eth-iban@1.10.4 > web3-utils@1.10.4
meaning typechecks would fail with this combination of versions.
Would appreciate an update, thanks!
@andrewkmin Thank you for sharing this. It will be our main focus until we get rid of it.
Hello, are there any updates?
@DmytroShalaiev we are currently working on a big refactor in which we will get rid of web3 v1
Thanks I will follow updates
@dasanra https://github.com/safe-global/safe-core-sdk/pull/770 merged, is it already released? If yes - new tags are still vulnerable. If no - maybe you can share ~ due date.
@DmytroShalaiev we are preparing the release yet, we will publish the new version soon. There will be breaking changes affecting some of the kits, we are finishing the migration guides before publishing.
Thanks, will be waiting
@DmytroShalaiev latest published version should solve all the mentioned vulnerabilities
https://github.com/safe-global/safe-core-sdk/releases/tag/r40
Thanks I will upgrade and check
Closing because the vulnerable version is not part of the repo anymore.
Thanks you
tough-cookie (package.json) 2.5.0 . CVE-2023-26136 https://avd.aquasec.com/nvd/cve-2023-26136
tough-cookie: prototype pollution in cookie memstore,
Fixed in 4.1.3