search

scodec / scodec-bits

Provides immutable datatypes for working with bits and bytes
BSD 3-Clause "New" or "Revised" License
115 stars 58 forks source link

Upgrading scodec bits from `1.1.30` -> `1.1.3x` results in failure #378

Closed Christewart closed 1 year ago

Christewart commented 2 years ago

The stack trace looks like this on the PR: https://github.com/bitcoin-s/bitcoin-s/runs/6490536713?check_suite_focus=true#step:5:415

This seems to be a regression introduced in 1.1.31

 coreTestJS/test
[info] Updating NPM dependencies
[error] npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
[error] npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
[error] npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
[error] npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
[error] npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
[error] npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
[error] npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
[error] npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
[info] added 612 packages, and audited 613 packages in 51s
[info] 26 packages are looking for funding
[info]   run `npm fund` for details
[info] 14 vulnerabilities (6 moderate, 5 high, 3 critical)
[info] To address issues that do not require attention, run:
[info]   npm audit fix
[info] To address all issues, run:
[info]   npm audit fix --force
[info] Run `npm audit` for details.
[info] Fast optimizing /home/chris/dev/bitcoin-s/core-test/.js/target/scala-2.13/bitcoin-s-core-test-test-fastopt
[error] Referring to non-existent class java.security.SecureRandom
[error]   called from private java.util.UUID$.csprng$lzycompute()java.util.Random
[error]   called from private java.util.UUID$.csprng()java.util.Random
[error]   called from java.util.UUID$.randomUUID()java.util.UUID
[error]   called from static java.util.UUID.randomUUID()java.util.UUID
[error]   called from org.scalatest.tools.TestSortingReporter.distributingTest(java.lang.String)void
[error]   called from private org.scalatest.AsyncSuperEngine.$anonfun$runTestImpl$1(java.lang.String,org.scalatest.DistributedTestSorter)void
[error]   called from org.scalatest.AsyncSuperEngine.runTestImpl(org.scalatest.Suite,java.lang.String,org.scalatest.Args,boolean,boolean,scala.Function2,scala.concurrent.ExecutionContext)org.scalatest.Status
[error]   called from org.scalatest.flatspec.AsyncFlatSpecLike.runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
[error]   called from org.bitcoins.core.util.FutureUtilTest.org$scalatest$BeforeAndAfter$$super$runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
[error]   called from org.scalatest.BeforeAndAfter.runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
[error]   called from org.bitcoins.core.util.FutureUtilTest.runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
mpilquist commented 2 years ago

Hm, scodec-bits doesn't call UUID.randomUUID and the stack trace looks like it's coming from ScalaTest? Any ideas @armanbilge?

armanbilge commented 2 years ago

Yup, this is https://github.com/scala-js/scala-js/security/advisories/GHSA-j2f9-w8wh-9ww4. You should be able to reproduce it by updating to Scala.js 1.10 without updating scodec-bits.

See the Scala.js release notes about how to upgrade to 1.10. https://www.scala-js.org/news/2022/04/04/announcing-scalajs-1.10.0/

mpilquist commented 2 years ago

Thanks!