:warning: The Truffle Suite is being sunset. For information on ongoing support, migration options and FAQs, visit the Consensys blog. Thank you for all the support over the years.
ganache-cli@6.12.2 comes with vulnerabilities, as detected by snyk.
Please, update the dependencies.
Steps to Reproduce
Run snyk test or - theoretically - any other dependencies' vulnerabilities detector on any project using that version of ganache
Expected Behavior
No vulnerabilities detected in any indirect dependency
Actual Results
Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@4.1.0
introduced by ganache-cli@6.12.2 > yargs@13.2.4 > cliui@5.0.0 > string-width@3.1.0 > strip-ansi@5.2.0 > ansi-regex@4.1.0
This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
✗ Cryptographic Issues [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899] in elliptic@6.5.3
introduced by ganache-cli@6.12.2 > ethereumjs-util@6.2.1 > elliptic@6.5.3 and 1 other path(s)
This issue was fixed in versions: 6.5.4
✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-Y18N-1021887] in y18n@4.0.0
introduced by ganache-cli@6.12.2 > yargs@13.2.4 > y18n@4.0.0
This issue was fixed in versions: 3.2.2, 4.0.1, 5.0.5
Issue
ganache-cli@6.12.2
comes with vulnerabilities, as detected bysnyk
.Please, update the dependencies.
Steps to Reproduce
Run
snyk test
or - theoretically - any other dependencies' vulnerabilities detector on any project using that version of ganacheExpected Behavior
No vulnerabilities detected in any indirect dependency
Actual Results
Issues with no direct upgrade or patch: ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@4.1.0 introduced by ganache-cli@6.12.2 > yargs@13.2.4 > cliui@5.0.0 > string-width@3.1.0 > strip-ansi@5.2.0 > ansi-regex@4.1.0 This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1 ✗ Cryptographic Issues [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899] in elliptic@6.5.3 introduced by ganache-cli@6.12.2 > ethereumjs-util@6.2.1 > elliptic@6.5.3 and 1 other path(s) This issue was fixed in versions: 6.5.4 ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-Y18N-1021887] in y18n@4.0.0 introduced by ganache-cli@6.12.2 > yargs@13.2.4 > y18n@4.0.0 This issue was fixed in versions: 3.2.2, 4.0.1, 5.0.5
Environment
truffle version
): 5.6.5node --version
): 16.17.1npm --version
): 8.15.0