search

web3 / web3.js

Collection of comprehensive TypeScript libraries for Interaction with the Ethereum JSON RPC API and utility functions.
https://web3js.org/
Other
19.34k stars 4.96k forks source link

web3-bzz `swarm-js` depends on deprecated vulnerable `request` #6002

Closed vincent-l-j closed 1 year ago

vincent-l-j commented 1 year ago

Is there an existing issue for this?

There is a related issue that mentions the vulnerability in got upon which swarm-js also depends.

Current Behavior

The swarm-js dependency in web3-bzz depends on request which is deprecated and has a Server-Side Request Forgery vulnerability according to the GitHub Advisory Database. The package-lock.json file in web3-bzz was created with an old version of npm. Running npm install inside web3-bzz installs packages with vulnerabilities but also warns that the web3-bzz api will be deprecated in the next version:

❯ npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile

> web3-bzz@1.9.0 postinstall
> echo "WARNING: the web3-bzz api will be deprecated in the next version"

WARNING: the web3-bzz api will be deprecated in the next version

up to date, audited 344 packages in 13s

34 packages are looking for funding
  run `npm fund` for details

7 moderate severity vulnerabilities

The report generated by npm audit is:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install swarm-js@0.1.35, which is a breaking change
node_modules/request
  @qiwi/npm-registry-client  *
  Depends on vulnerable versions of request
  node_modules/@qiwi/npm-registry-client
    @definitelytyped/utils  >=0.0.88
    Depends on vulnerable versions of @qiwi/npm-registry-client
    node_modules/@definitelytyped/utils
      dtslint  >=3.6.6
      Depends on vulnerable versions of @definitelytyped/utils
      node_modules/dtslint
  servify  *
  Depends on vulnerable versions of request
  node_modules/servify
    eth-lib  0.1.24 - 0.1.29
    Depends on vulnerable versions of servify
    node_modules/eth-lib
      swarm-js  >=0.1.36
      Depends on vulnerable versions of eth-lib
      node_modules/swarm-js

7 moderate severity vulnerabilities

Expected Behavior

Expected npm audit to show no vulnerabilities:

found 0 vulnerabilities

Steps to Reproduce

cd packages/web3-bzz
npm install
npm audit

Web3.js Version

v1.9.0

Environment

Anything Else?

I emailed security@chainsafe.io a week ago on 3rd April 2023 according to the security policy but haven't received a reply back.

jdevcs commented 1 year ago

This package is marked for deprecation long time ago in 1.x and current active development is going on in 4.x , 4.x is in RC and will be released soon.

mconnelly8 commented 1 year ago

Hey @vincent-l-j, just wanted to let you know that in v4 those packages are removed. Since we moved away from those in v4, we are closing this issue.