Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updating libs #4719

Merged
merged 3 commits into from Jan 24, 2022
Merged

updating libs #4719

merged 3 commits into from Jan 24, 2022

Conversation

luu-alex
Copy link
Contributor

@luu-alex luu-alex commented Jan 19, 2022
edited

running npm audit to fix vulnerabilities.
closes: #4713
going from 30 to 23 vulnerabilities

@luu-alex luu-alex added the 1.x 1.0 related issues label Jan 19, 2022
@render
Copy link

render bot commented Jan 19, 2022

Your Render PR Server URL is https://web3-js-pr-4719.onrender.com.

Follow its progress at https://dashboard.render.com/static/srv-c7ka1l79re0ob1a4mkt0.

@luu-alex luu-alex self-assigned this Jan 20, 2022
@nazarhussain
Copy link
Contributor

@luu-alex Can you share the output of the npm audit fix command, if possible. As the changes here are too large to review online.

@luu-alex
Copy link
Contributor Author

Running npm audit

➜ web3.js git:(1.x) ✗ npm audit

npm audit report

ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
fix available via npm audit fix --force
Will install mocha@9.1.4, which is a breaking change
node_modules/cliui/node_modules/ansi-regex
node_modules/ganache-cli/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/cliui/node_modules/strip-ansi
node_modules/ganache-cli/node_modules/strip-ansi
node_modules/wide-align/node_modules/strip-ansi
node_modules/wrap-ansi/node_modules/strip-ansi
node_modules/yargs/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/cliui
node_modules/ganache-cli/node_modules/cliui
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 || 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/ganache-cli/node_modules/yargs
node_modules/solc/node_modules/yargs
node_modules/yargs
@chainsafe/geth-dev-assistant *
Depends on vulnerable versions of yargs
node_modules/@chainsafe/geth-dev-assistant
ganache-cli 6.5.1-beta.0 - 6.12.2
Depends on vulnerable versions of yargs
node_modules/ganache-cli
mocha 6.1.0 - 8.2.1
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
nyc 14.0.0-alpha.0 - 15.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/nyc
solc 0.3.6 - 0.4.26
Depends on vulnerable versions of yargs
node_modules/solc
@ensdomains/ens *
Depends on vulnerable versions of solc
node_modules/@ensdomains/ens
yargs-unparser 1.5.1 - 1.6.4
Depends on vulnerable versions of yargs
node_modules/yargs-unparser
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/cliui/node_modules/string-width
node_modules/ganache-cli/node_modules/string-width
node_modules/wide-align/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
node_modules/yargs/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/ganache-cli/node_modules/wrap-ansi
node_modules/wrap-ansi

elliptic <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - GHSA-r9p9-mrjm-926w
fix available via npm audit fix
node_modules/ganache-cli/node_modules/elliptic

engine.io 4.0.0 - 4.1.1
Severity: high
Uncaught Exception in engine.io - GHSA-273r-mgr4-v34f
fix available via npm audit fix
node_modules/engine.io

follow-redirects <1.14.7
Severity: high
Exposure of sensitive information in follow-redirects - GHSA-74fj-2j2h-c42q
fix available via npm audit fix
node_modules/follow-redirects

glob-parent <5.1.2
Severity: high
Regular expression denial of service - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install webpack@5.66.0, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack

json-schema <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - GHSA-896r-f27r-55mw
fix available via npm audit fix
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim

shelljs <0.8.5
Severity: moderate
Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj
fix available via npm audit fix --force
Will install jshint@1.0.0, which is a breaking change
node_modules/shelljs
jshint >=1.1.0
Depends on vulnerable versions of shelljs
node_modules/jshint

tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw
fix available via npm audit fix
node_modules/@definitelytyped/utils/node_modules/tar
@definitelytyped/utils >=0.0.23-next.0
Depends on vulnerable versions of tar
node_modules/@definitelytyped/utils
dtslint >=3.5.0
Depends on vulnerable versions of @definitelytyped/utils
node_modules/dtslint

y18n 4.0.0
Severity: high
Prototype Pollution - GHSA-c4w7-xm78-47vh
fix available via npm audit fix
node_modules/ganache-cli/node_modules/y18n

yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp
fix available via npm audit fix --force
Will install mocha@9.1.4, which is a breaking change
node_modules/solc/node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 || 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/ganache-cli/node_modules/yargs
node_modules/solc/node_modules/yargs
node_modules/yargs
@chainsafe/geth-dev-assistant *
Depends on vulnerable versions of yargs
node_modules/@chainsafe/geth-dev-assistant
ganache-cli 6.5.1-beta.0 - 6.12.2
Depends on vulnerable versions of yargs
node_modules/ganache-cli
mocha 6.1.0 - 8.2.1
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
nyc 14.0.0-alpha.0 - 15.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/nyc
solc 0.3.6 - 0.4.26
Depends on vulnerable versions of yargs
node_modules/solc
@ensdomains/ens *
Depends on vulnerable versions of solc
node_modules/@ensdomains/ens
yargs-unparser 1.5.1 - 1.6.4
Depends on vulnerable versions of yargs
node_modules/yargs-unparser

30 vulnerabilities (19 moderate, 11 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

@luu-alex
Copy link
Contributor Author

running npm audit fix
➜ web3.js git:(1.x) ✗ npm audit fix
npm WARN audit fix ansi-regex@4.1.0 node_modules/ganache-cli/node_modules/ansi-regex
npm WARN audit fix ansi-regex@4.1.0 is a bundled dependency of
npm WARN audit fix ansi-regex@4.1.0 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix ansi-regex@4.1.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@4.1.0 Check for updates to the ganache-cli package.
npm WARN audit fix elliptic@6.5.3 node_modules/ganache-cli/node_modules/elliptic
npm WARN audit fix elliptic@6.5.3 is a bundled dependency of
npm WARN audit fix elliptic@6.5.3 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix elliptic@6.5.3 It cannot be fixed automatically.
npm WARN audit fix elliptic@6.5.3 Check for updates to the ganache-cli package.
npm WARN audit fix y18n@4.0.0 node_modules/ganache-cli/node_modules/y18n
npm WARN audit fix y18n@4.0.0 is a bundled dependency of
npm WARN audit fix y18n@4.0.0 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix y18n@4.0.0 It cannot be fixed automatically.
npm WARN audit fix y18n@4.0.0 Check for updates to the ganache-cli package.
npm WARN audit fix strip-ansi@5.2.0 node_modules/ganache-cli/node_modules/strip-ansi
npm WARN audit fix strip-ansi@5.2.0 is a bundled dependency of
npm WARN audit fix strip-ansi@5.2.0 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix strip-ansi@5.2.0 It cannot be fixed automatically.
npm WARN audit fix strip-ansi@5.2.0 Check for updates to the ganache-cli package.
npm WARN audit fix yargs@13.2.4 node_modules/ganache-cli/node_modules/yargs
npm WARN audit fix yargs@13.2.4 is a bundled dependency of
npm WARN audit fix yargs@13.2.4 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix yargs@13.2.4 It cannot be fixed automatically.
npm WARN audit fix yargs@13.2.4 Check for updates to the ganache-cli package.
npm WARN audit fix wrap-ansi@5.1.0 node_modules/ganache-cli/node_modules/wrap-ansi
npm WARN audit fix wrap-ansi@5.1.0 is a bundled dependency of
npm WARN audit fix wrap-ansi@5.1.0 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix wrap-ansi@5.1.0 It cannot be fixed automatically.
npm WARN audit fix wrap-ansi@5.1.0 Check for updates to the ganache-cli package.
npm WARN audit fix string-width@3.1.0 node_modules/ganache-cli/node_modules/string-width
npm WARN audit fix string-width@3.1.0 is a bundled dependency of
npm WARN audit fix string-width@3.1.0 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix string-width@3.1.0 It cannot be fixed automatically.
npm WARN audit fix string-width@3.1.0 Check for updates to the ganache-cli package.
npm WARN audit fix cliui@5.0.0 node_modules/ganache-cli/node_modules/cliui
npm WARN audit fix cliui@5.0.0 is a bundled dependency of
npm WARN audit fix cliui@5.0.0 ganache-cli@6.12.2 at node_modules/ganache-cli
npm WARN audit fix cliui@5.0.0 It cannot be fixed automatically.
npm WARN audit fix cliui@5.0.0 Check for updates to the ganache-cli package.
npm WARN deprecated testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated iltorb@2.4.5: The zlib module provides APIs for brotli compression/decompression starting with Node.js v10.16.0, please use it over iltorb
npm WARN deprecated @ensdomains/ens@0.6.2: Please use @ensdomains/ens-contracts
npm WARN deprecated @ensdomains/resolver@0.2.4: Please use @ensdomains/ens-contracts

added 1075 packages, removed 337 packages, changed 152 packages, and audited 1902 packages in 30s

127 packages are looking for funding
run npm fund for details

npm audit report

ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
fix available via npm audit fix --force
Will install mocha@9.1.4, which is a breaking change
node_modules/cliui/node_modules/ansi-regex
node_modules/ganache-cli/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/cliui/node_modules/strip-ansi
node_modules/ganache-cli/node_modules/strip-ansi
node_modules/wide-align/node_modules/strip-ansi
node_modules/wrap-ansi/node_modules/strip-ansi
node_modules/yargs/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/cliui
node_modules/ganache-cli/node_modules/cliui
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 || 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/ganache-cli/node_modules/yargs
node_modules/solc/node_modules/yargs
node_modules/yargs
@chainsafe/geth-dev-assistant *
Depends on vulnerable versions of yargs
node_modules/@chainsafe/geth-dev-assistant
ganache-cli 6.2.0-beta.0 - 6.12.2
Depends on vulnerable versions of yargs
node_modules/ganache-cli
mocha 6.0.0-0 - 8.2.1
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
nyc 11.3.0 - 15.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/nyc
solc 0.3.6 - 0.4.26
Depends on vulnerable versions of yargs
node_modules/solc
@ensdomains/ens *
Depends on vulnerable versions of solc
node_modules/@ensdomains/ens
yargs-unparser 1.5.0 - 1.6.4
Depends on vulnerable versions of yargs
node_modules/yargs-unparser
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/cliui/node_modules/string-width
node_modules/ganache-cli/node_modules/string-width
node_modules/wide-align/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
node_modules/yargs/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/ganache-cli/node_modules/wrap-ansi
node_modules/wrap-ansi

elliptic <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - GHSA-r9p9-mrjm-926w
fix available via npm audit fix
node_modules/ganache-cli/node_modules/elliptic

glob-parent <5.1.2
Severity: high
Regular expression denial of service - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install webpack@5.66.0, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack

shelljs <0.8.5
Severity: moderate
Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj
fix available via npm audit fix --force
Will install jshint@1.0.0, which is a breaking change
node_modules/shelljs
jshint >=1.1.0
Depends on vulnerable versions of shelljs
node_modules/jshint

y18n 4.0.0
Severity: high
Prototype Pollution - GHSA-c4w7-xm78-47vh
fix available via npm audit fix
node_modules/ganache-cli/node_modules/y18n

yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp
fix available via npm audit fix --force
Will install mocha@9.1.4, which is a breaking change
node_modules/solc/node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 || 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/ganache-cli/node_modules/yargs
node_modules/solc/node_modules/yargs
node_modules/yargs
@chainsafe/geth-dev-assistant *
Depends on vulnerable versions of yargs
node_modules/@chainsafe/geth-dev-assistant
ganache-cli 6.2.0-beta.0 - 6.12.2
Depends on vulnerable versions of yargs
node_modules/ganache-cli
mocha 6.0.0-0 - 8.2.1
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
nyc 11.3.0 - 15.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/nyc
solc 0.3.6 - 0.4.26
Depends on vulnerable versions of yargs
node_modules/solc
@ensdomains/ens *
Depends on vulnerable versions of solc
node_modules/@ensdomains/ens
yargs-unparser 1.5.0 - 1.6.4
Depends on vulnerable versions of yargs
node_modules/yargs-unparser

23 vulnerabilities (17 moderate, 6 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

@luu-alex
Copy link
Contributor Author

Thanks for the feedback @nazarhussain i shared npm audit and npm audit fix

@jdevcs
Copy link
Contributor

jdevcs commented Jan 21, 2022

This branch is out of date with 1.x, could you update and see all tests are passing.

@luu-alex
Copy link
Contributor Author

@jdevcs passing

@luu-alex luu-alex merged commit 115c3a9 into 1.x Jan 24, 2022
@luu-alex luu-alex deleted the 4713/libs-update branch January 24, 2022 14:45
@jdevcs jdevcs mentioned this pull request Feb 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nazarhussain nazarhussain nazarhussain approved these changes

@spacesailor24 spacesailor24 spacesailor24 approved these changes

@jdevcs jdevcs Awaiting requested review from jdevcs jdevcs is a code owner

Assignees

@luu-alex luu-alex

Labels
1.x 1.0 related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1.x libs update
4 participants
@luu-alex @nazarhussain @jdevcs @spacesailor24