[Bug] Security vulnerabilities - update dependencies

windranger-io / windranger-governance

BitDAO Governance contracts framework

Apache License 2.0

20 stars 10 forks source link

[Bug] Security vulnerabilities - update dependencies #78

Closed CjHare closed 2 years ago

CjHare commented 2 years ago

Bug Description

When landing on windranger-governance index, I'm welcome by a dependabot warning about security vulnerabilities.

It's not clear why the dependabot PRs were closed, but update the dependencies so there are security vulnerabilities i.e. bBring the dependencies in line with the template (updating those dependencies, if required).

bitparadigm commented 2 years ago

Merged all upgrades for dependencies.

CjHare commented 2 years ago

Still getting three moderate severity warnings.

https://github.com/windranger-io/windranger-governance/security/dependabot

bitparadigm commented 2 years ago

Still getting three moderate severity warnings.

https://github.com/windranger-io/windranger-governance/security/dependabot

When I open the link it shows 404.

CjHare commented 2 years ago

Interesting, this must be due to permissioning 🤔 ...I'm guessing you don't see the warning on the landing page (as that links to that page).

CjHare commented 2 years ago

Alright, these are transitive security issues.

These are all in package.json as production dependencies.

    "@nomiclabs/hardhat-etherscan": "^2.1.6",
    "@nomiclabs/hardhat-ganache": "^2.0.1",
    "@nomiclabs/hardhat-truffle5": "^2.0.1",
    "@nomiclabs/hardhat-web3": "^2.0.0",
    "@openzeppelin/contracts": "^4.3.3",
    "hardhat-gas-reporter": "^1.0.4",
    "web3": "^1.6.1"

A) Are they all needed i.e. can any be removed entirely? (there's truffle & ganache and web3 ...these aren't needed in windranger-treasury) B) Can any of these be devDependencies? (I'm pretty sure dependabot only gives security warnings on production dependencies)

CjHare commented 2 years ago

No longer an issue 👍