search

trufflesuite / ganache

:warning: The Truffle Suite is being sunset. For information on ongoing support, migration options and FAQs, visit the Consensys blog. Thank you for all the support over the years.
https://consensys.io/blog/consensys-announces-the-sunset-of-truffle-and-ganache-and-new-hardhat?utm_source=github&utm_medium=referral&utm_campaign=2023_Sep_truffle-sunset-2023_announcement_
MIT License
2.62k stars 678 forks source link

Solve dependencies vulnerabilities #3915

Closed marcello33 closed 1 year ago

marcello33 commented 1 year ago

Issue

ganache-cli@6.12.2 comes with vulnerabilities, as detected by snyk.

Please, update the dependencies.

Steps to Reproduce

Run snyk test or - theoretically - any other dependencies' vulnerabilities detector on any project using that version of ganache

Expected Behavior

No vulnerabilities detected in any indirect dependency

Actual Results

Issues with no direct upgrade or patch: ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@4.1.0 introduced by ganache-cli@6.12.2 > yargs@13.2.4 > cliui@5.0.0 > string-width@3.1.0 > strip-ansi@5.2.0 > ansi-regex@4.1.0 This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1 ✗ Cryptographic Issues [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899] in elliptic@6.5.3 introduced by ganache-cli@6.12.2 > ethereumjs-util@6.2.1 > elliptic@6.5.3 and 1 other path(s) This issue was fixed in versions: 6.5.4 ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-Y18N-1021887] in y18n@4.0.0 introduced by ganache-cli@6.12.2 > yargs@13.2.4 > y18n@4.0.0 This issue was fixed in versions: 3.2.2, 4.0.1, 5.0.5

Environment

davidmurdoch commented 1 year ago

The ganache-cli package is deprecated. You need to switch to ganache as indicated in the deprecation message.