search

trufflesuite / truffle

:warning: The Truffle Suite is being sunset. For information on ongoing support, migration options and FAQs, visit the Consensys blog. Thank you for all the support over the years.
https://consensys.io/blog/consensys-announces-the-sunset-of-truffle-and-ganache-and-new-hardhat?utm_source=github&utm_medium=referral&utm_campaign=2023_Sep_truffle-sunset-2023_announcement_
MIT License
14.02k stars 2.31k forks source link

Vulnerabilities in some dependencies #5704

Open marcello33 opened 2 years ago

marcello33 commented 2 years ago

Issue

@truffle/hdwallet-provider@2.1.1 comes with vulnerabilities, as detected by snyk.

Please, update the dependencies.

Steps to Reproduce

Run snyk test or - theoretically - any other dependencies' vulnerabilities detector on any truffle project

Expected Behavior

No vulnerabilities detected

Actual Results

Issues with no direct upgrade or patch:
  ✗ Open Redirect [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-GOT-2932019] in got@9.6.0
    introduced by @truffle/hdwallet-provider@2.1.1 > web3@1.7.4 > web3-bzz@1.7.4 > got@9.6.0 and 1 other path(s)
  This issue was fixed in versions: 11.8.5, 12.1.0
  ✗ Insecure Credential Storage [Low Severity][https://security.snyk.io/vuln/SNYK-JS-WEB3-174533] in web3@1.7.4
    introduced by @truffle/hdwallet-provider@2.1.1 > @types/web3@1.2.2 > web3@1.8.0 and 4 other path(s)
  No upgrade or patch available
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-WS-1296835] in ws@3.3.3
    introduced by @truffle/hdwallet-provider@2.1.1 > @types/web3@1.2.2 > web3@1.8.0 > web3-bzz@1.8.0 > swarm-js@0.1.42 > eth-lib@0.1.29 > ws@3.3.3 and 1 other path(s)
  This issue was fixed in versions: 7.4.6, 6.2.2, 5.2.3

Environment

haltman-at commented 2 years ago

This appears to be identical to #5703, so I'm closing it in favor of that one.

marcello33 commented 2 years ago

Hi @haltman-at, my bad sorry, I updated the description, the issues here are different now, as you can see (these are related to @truffle/hdwallet-provider@2.1.1).

Can you reopen the PR? Thank you

haltman-at commented 2 years ago

Sure, I can reopen the issue. For simplicity in the future I'd recommend just filing a new issue in a case like this.

cds-amal commented 2 years ago

These seem to be coming from web3, but we'll add to our backlog and eventually get to it. You should report this issue to Web3 as well.

marcello33 commented 2 years ago

Will report to web3 too. Thanks.

marcello33 commented 1 year ago

I reported it to web3 too. They'll include a fix in the next release.

marcello33 commented 1 year ago

The thing is: truffle should also use latest web3 version (currently 1.8.1).

eggplantzzz commented 1 year ago

Sure! Sometimes keeping up to date with web3 is not trivial. I'll go ahead and put in a PR for that version to see if it is an easy upgrade and will pass CI.