Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #1537

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

filiptronicek
Copy link
Member

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 828/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.7
Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-8187303
Yes Proof of Concept
high severity 696/1000
Why? Recently disclosed, Has a fix available, CVSS 8.2
Uncontrolled Recursion
SNYK-JS-NEXT-8186172
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

Copy link

yarn.lock changes

Summary

Status Count
ADDED 20
UPDATED 36
DOWNGRADED 3
REMOVED 171
Click to toggle table visibility
Name Status Previous Current
@adraffy/ens-normalize ADDED - 1.11.0
@ethereumjs/common REMOVED 2.6.0 -
@ethereumjs/rlp ADDED - 5.0.2
@ethereumjs/tx REMOVED 3.4.0 -
@next/env UPDATED 12.3.1 14.2.15
@next/swc-android-arm-eabi REMOVED 12.3.1 -
@next/swc-android-arm64 REMOVED 12.3.1 -
@next/swc-darwin-arm64 UPDATED 12.3.1 14.2.15
@next/swc-darwin-x64 UPDATED 12.3.1 14.2.15
@next/swc-freebsd-x64 REMOVED 12.3.1 -
@next/swc-linux-arm-gnueabihf REMOVED 12.3.1 -
@next/swc-linux-arm64-gnu UPDATED 12.3.1 14.2.15
@next/swc-linux-arm64-musl UPDATED 12.3.1 14.2.15
@next/swc-linux-x64-gnu UPDATED 12.3.1 14.2.15
@next/swc-linux-x64-musl UPDATED 12.3.1 14.2.15
@next/swc-win32-arm64-msvc UPDATED 12.3.1 14.2.15
@next/swc-win32-ia32-msvc UPDATED 12.3.1 14.2.15
@next/swc-win32-x64-msvc UPDATED 12.3.1 14.2.15
@noble/curves ADDED - 1.4.2
@noble/hashes ADDED - 1.4.0
@scure/base ADDED - 1.1.9
@scure/bip32 ADDED - 1.4.0
@scure/bip39 ADDED - 1.3.0
@sindresorhus/is REMOVED 0.14.0 -
@swc/counter ADDED - 0.1.3
@swc/helpers UPDATED 0.4.11 0.5.5
@szmarczak/http-timer REMOVED 1.1.2 -
@types/bn.js DOWNGRADED 5.1.0 4.11.6
@types/ws ADDED - 8.5.3
abitype ADDED - 0.7.1
accepts REMOVED 1.3.7 -
array-flatten REMOVED 1.1.1 -
asn1 REMOVED 0.2.6 -
asn1.js REMOVED 5.4.1 -
assert-plus REMOVED 1.0.0 -
async-limiter REMOVED 1.0.1 -
aws-sign2 REMOVED 0.7.0 -
aws4 REMOVED 1.11.0 -
bcrypt-pbkdf REMOVED 1.0.2 -
bignumber.js REMOVED 9.0.2 -
bluebird REMOVED 3.7.2 -
body-parser REMOVED 1.19.1 -
browserify-cipher REMOVED 1.0.1 -
browserify-des REMOVED 1.0.2 -
browserify-rsa REMOVED 4.1.0 -
browserify-sign REMOVED 4.2.1 -
buffer-to-arraybuffer REMOVED 0.0.5 -
busboy ADDED - 1.6.0
bytes REMOVED 3.1.1 -
cacheable-request REMOVED 6.1.0 -
caniuse-lite UPDATED 1.0.30001423 1.0.30001669
caseless REMOVED 0.12.0 -
cids REMOVED 0.7.5 -
client-only ADDED - 0.0.1
clone-response REMOVED 1.0.2 -
content-disposition REMOVED 0.5.4 -
content-hash REMOVED 2.5.2 -
content-type REMOVED 1.0.4 -
cookie-signature REMOVED 1.0.6 -
cookiejar REMOVED 2.1.3 -
core-util-is UPDATED 1.0.2 1.0.3
cors REMOVED 2.8.5 -
crc-32 UPDATED 1.2.0 1.2.2
create-ecdh REMOVED 4.0.4 -
cross-fetch UPDATED 3.1.5 4.0.0
crypto-browserify REMOVED 3.12.0 -
d REMOVED 1.0.1 -
dashdash REMOVED 1.14.1 -
decode-uri-component REMOVED 0.2.0 -
defer-to-connect REMOVED 1.1.3 -
depd REMOVED 1.1.2 -
des.js REMOVED 1.0.1 -
destroy REMOVED 1.0.4 -
diffie-hellman REMOVED 5.0.3 -
dom-walk REMOVED 0.1.2 -
duplexer3 REMOVED 0.1.4 -
ecc-jsbn REMOVED 0.1.2 -
ee-first REMOVED 1.1.1 -
encodeurl REMOVED 1.0.2 -
es5-ext REMOVED 0.10.53 -
es6-iterator REMOVED 2.0.3 -
es6-symbol REMOVED 3.1.3 -
etag REMOVED 1.8.1 -
eth-ens-namehash REMOVED 2.0.8 -
eth-lib REMOVED 0.2.8 -
ethereum-bloom-filters REMOVED 1.0.10 -
ethereum-cryptography UPDATED 0.1.3 2.2.1
ethereumjs-util DOWNGRADED 7.1.3 6.2.1
ethjs-unit REMOVED 0.1.6 -
eventemitter3 UPDATED 4.0.4 5.0.1
exit-on-epipe REMOVED 1.0.1 -
express REMOVED 4.17.2 -
ext REMOVED 1.6.0 -
extend REMOVED 3.0.2 -
extsprintf REMOVED 1.3.0 -
finalhandler REMOVED 1.1.2 -
forever-agent REMOVED 0.6.1 -
forwarded REMOVED 0.2.0 -
fresh REMOVED 0.5.2 -
fs-minipass REMOVED 1.2.7 -
getpass REMOVED 0.1.7 -
global REMOVED 4.4.0 -
got REMOVED 9.6.0 -
graceful-fs UPDATED 4.2.10 4.2.11
har-schema REMOVED 2.0.0 -
har-validator REMOVED 5.1.5 -
has-symbol-support-x REMOVED 1.4.2 -
has-to-string-tag-x REMOVED 1.4.1 -
http-cache-semantics REMOVED 4.1.0 -
http-errors REMOVED 1.8.1 -
http-https REMOVED 1.0.0 -
http-signature REMOVED 1.2.0 -
idna-uts46-hx REMOVED 2.3.1 -
is-function REMOVED 1.0.2 -
is-object REMOVED 1.0.2 -
is-retry-allowed REMOVED 1.2.0 -
is-typedarray REMOVED 1.0.0 -
isomorphic-ws ADDED - 5.0.0
isstream REMOVED 0.1.2 -
isurl REMOVED 1.0.0 -
jsbn REMOVED 0.1.1 -
json-buffer REMOVED 3.0.0 -
json-stringify-safe REMOVED 5.0.1 -
jsprim REMOVED 1.4.2 -
keyv REMOVED 3.1.0 -
lowercase-keys REMOVED 2.0.0 -
media-typer REMOVED 0.3.0 -
merge-descriptors REMOVED 1.0.1 -
methods REMOVED 1.1.2 -
miller-rabin REMOVED 4.0.1 -
min-document REMOVED 2.19.0 -
minipass REMOVED 2.9.0 -
minizlib REMOVED 1.3.3 -
mkdirp REMOVED 0.5.5 -
mkdirp-promise REMOVED 5.0.1 -
mock-fs REMOVED 4.14.0 -
ms DOWNGRADED 2.1.3 2.1.2
multibase REMOVED 0.7.0 -
multicodec REMOVED 1.0.4 -
multihashes REMOVED 0.4.21 -
nano-json-stream-parser REMOVED 0.1.2 -
negotiator REMOVED 0.6.2 -
next UPDATED 12.3.1 14.2.15
next-tick REMOVED 1.0.0 -
normalize-url REMOVED 4.5.1 -
number-to-bn REMOVED 1.7.0 -
oauth-sign REMOVED 0.9.0 -
oboe REMOVED 2.1.5 -
on-finished REMOVED 2.3.0 -
p-cancelable REMOVED 1.1.0 -
p-finally REMOVED 1.0.0 -
p-timeout REMOVED 1.2.1 -
parse-asn1 REMOVED 5.1.6 -
parse-headers REMOVED 2.0.4 -
parseurl REMOVED 1.3.3 -
path-to-regexp REMOVED 0.1.7 -
performance-now REMOVED 2.1.0 -
postcss UPDATED 8.4.14 8.4.31
prepend-http REMOVED 2.0.0 -
printj REMOVED 1.1.2 -
process REMOVED 0.11.10 -
proxy-addr REMOVED 2.0.7 -
public-encrypt REMOVED 4.0.3 -
qs REMOVED 6.9.6 -
query-string REMOVED 5.1.1 -
randomfill REMOVED 1.0.4 -
raw-body REMOVED 2.4.2 -
request REMOVED 2.88.2 -
responselike REMOVED 1.0.2 -
send REMOVED 0.17.2 -
serve-static REMOVED 1.14.2 -
servify REMOVED 0.1.12 -
setprototypeof REMOVED 1.2.0 -
sshpk REMOVED 1.17.0 -
statuses REMOVED 1.5.0 -
streamsearch ADDED - 1.1.0
strict-uri-encode REMOVED 1.1.0 -
styled-jsx UPDATED 5.0.7 5.1.1
swarm-js REMOVED 0.1.40 -
tar REMOVED 4.4.19 -
timed-out REMOVED 4.0.1 -
to-readable-stream REMOVED 1.0.0 -
toidentifier REMOVED 1.0.1 -
type REMOVED 2.5.0 -
type-is REMOVED 1.6.18 -
typedarray-to-buffer REMOVED 3.1.5 -
ultron REMOVED 1.1.1 -
unpipe REMOVED 1.0.0 -
url-parse-lax REMOVED 3.0.0 -
url-set-query REMOVED 1.0.0 -
url-to-options REMOVED 1.0.1 -
use-sync-external-store REMOVED 1.2.0 -
utf8 REMOVED 3.0.0 -
utils-merge REMOVED 1.0.1 -
vary REMOVED 1.1.2 -
verror REMOVED 1.10.0 -
web3 UPDATED 1.7.3 4.13.0
web3-bzz REMOVED 1.7.3 -
web3-core UPDATED 1.7.3 4.6.0
web3-core-helpers REMOVED 1.7.3 -
web3-core-method REMOVED 1.7.3 -
web3-core-promievent REMOVED 1.7.3 -
web3-core-requestmanager REMOVED 1.7.3 -
web3-core-subscriptions REMOVED 1.7.3 -
web3-errors ADDED - 1.3.0
web3-eth UPDATED 1.7.3 4.9.0
web3-eth-abi UPDATED 1.7.3 4.2.4
web3-eth-accounts UPDATED 1.7.3 4.2.1
web3-eth-contract UPDATED 1.7.3 4.7.0
web3-eth-ens UPDATED 1.7.3 4.4.0
web3-eth-iban UPDATED 1.7.3 4.0.7
web3-eth-personal UPDATED 1.7.3 4.1.0
web3-net UPDATED 1.7.3 4.1.0
web3-providers-http UPDATED 1.7.3 4.2.0
web3-providers-ipc UPDATED 1.7.3 4.0.7
web3-providers-ws UPDATED 1.7.3 4.0.8
web3-rpc-methods ADDED - 1.3.0
web3-rpc-providers ADDED - 1.0.0-rc.2
web3-shh REMOVED 1.7.3 -
web3-types ADDED - 1.8.0
web3-utils UPDATED 1.7.3 4.3.1
web3-validator ADDED - 2.0.6
websocket REMOVED 1.0.34 -
ws UPDATED 8.9.0 8.18.0
xhr REMOVED 2.6.0 -
xhr-request REMOVED 1.1.0 -
xhr-request-promise REMOVED 0.1.3 -
xhr2-cookies REMOVED 1.1.0 -
yaeti REMOVED 0.0.6 -
zod ADDED - 3.23.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants