Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 1.x Dependencies #5529

Merged
merged 9 commits into from Oct 22, 2022
Merged

Update 1.x Dependencies #5529

merged 9 commits into from Oct 22, 2022

Conversation

spacesailor24
Copy link
Contributor

@spacesailor24 spacesailor24 commented Oct 13, 2022
edited

closes #5422

@spacesailor24 spacesailor24 added 1.x 1.0 related issues dependencies Updates dependency labels Oct 13, 2022
@spacesailor24 spacesailor24 force-pushed the wyatt/1.x/5422-update-dependencies branch from 7a09521 to 7cc0592 Compare October 13, 2022 02:52
@coveralls
Copy link

coveralls commented Oct 13, 2022
edited

Pull Request Test Coverage Report for Build 3285222756

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 72.233%
Totals Coverage Status
Change from base Build 3091420932: 0.0%
Covered Lines: 3414
Relevant Lines: 4445
💛 - Coveralls

@spacesailor24 spacesailor24 force-pushed the wyatt/1.x/5422-update-dependencies branch from a32ea7f to d63cdec Compare October 13, 2022 03:48
@spacesailor24
Copy link
Contributor Author

Before this commit

Package                                    Current    Wanted  Latest  Location                                               Depended by
@babel/cli                                  7.15.7    7.19.3  7.19.3  node_modules/@babel/cli                                web3.js
@babel/core                                 7.15.8    7.19.3  7.19.3  node_modules/@babel/core                               web3.js
@babel/plugin-proposal-class-properties     7.14.5    7.18.6  7.18.6  node_modules/@babel/plugin-proposal-class-properties   web3.js
@babel/plugin-transform-modules-commonjs    7.15.4    7.18.6  7.18.6  node_modules/@babel/plugin-transform-modules-commonjs  web3.js
@babel/plugin-transform-runtime             7.15.8    7.19.1  7.19.1  node_modules/@babel/plugin-transform-runtime           web3.js
@babel/preset-env                           7.15.8    7.19.4  7.19.4  node_modules/@babel/preset-env                         web3.js
@babel/preset-typescript                    7.15.0    7.18.6  7.18.6  node_modules/@babel/preset-typescript                  web3.js
@babel/runtime                              7.15.4    7.19.4  7.19.4  node_modules/@babel/runtime                            web3.js
@ensdomains/resolver                         0.2.4     0.2.4   0.3.1  node_modules/@ensdomains/resolver                      web3.js
@types/bignumber.js                          4.0.3     4.0.3   5.0.0  node_modules/@types/bignumber.js                       web3.js
@types/bn.js                                 5.1.0     5.1.1   5.1.1  node_modules/@types/bn.js                              web3.js
@types/node                               12.20.33  12.20.55  18.8.5  node_modules/@types/node                               web3.js
@types/prettier                              2.6.0     2.6.0   2.7.1  node_modules/@types/prettier                           web3.js
babel-loader                                 8.2.2     8.2.5   8.2.5  node_modules/babel-loader                              web3.js
bignumber.js                                 9.0.1     9.1.0   9.1.0  node_modules/bignumber.js                              web3.js
browserify                                  16.5.2    16.5.2  17.0.0  node_modules/browserify                                web3.js
buffer                                       4.9.2     4.9.2   6.0.3  node_modules/buffer                                    web3.js
chai                                         4.3.4     4.3.6   4.3.6  node_modules/chai                                      web3.js
clean-webpack-plugin                         3.0.0     3.0.0   4.0.0  node_modules/clean-webpack-plugin                      web3.js
core-js                                     3.18.3    3.25.5  3.25.5  node_modules/core-js                                   web3.js
crypto-js                                    3.3.0     3.3.0   4.1.1  node_modules/crypto-js                                 web3.js
decache                                      4.6.0     4.6.1   4.6.1  node_modules/decache                                   web3.js
ethereumjs-util                              7.1.3     7.1.5   7.1.5  node_modules/ethereumjs-util                           web3.js
ethers                                       5.5.0     5.7.1   5.7.1  node_modules/ethers                                    web3.js
jshint                                      2.13.4    2.13.5  2.13.5  node_modules/jshint                                    web3.js
karma                                       6.3.19     6.4.1   6.4.1  node_modules/karma                                     web3.js
karma-browserify                             7.0.0     7.0.0   8.1.0  node_modules/karma-browserify                          web3.js
karma-chrome-launcher                        3.1.0     3.1.1   3.1.1  node_modules/karma-chrome-launcher                     web3.js
karma-firefox-launcher                       1.3.0     1.3.0   2.1.2  node_modules/karma-firefox-launcher                    web3.js
karma-spec-reporter                         0.0.32    0.0.32  0.0.34  node_modules/karma-spec-reporter                       web3.js
lerna                                        4.0.0     4.0.0   6.0.0  node_modules/lerna                                     web3.js
mocha                                        6.2.3     6.2.3  10.0.0  node_modules/mocha                                     web3.js
nyc                                         14.1.1    14.1.1  15.1.0  node_modules/nyc                                       web3.js
pify                                         4.0.1     4.0.1   6.1.0  node_modules/pify                                      web3.js
ts-node                                      9.1.1     9.1.1  10.9.1  node_modules/ts-node                                   web3.js
typescript                                  3.9.10    3.9.10   4.8.4  node_modules/typescript                                web3.js
wait-port                                    0.2.9    0.2.14   1.0.3  node_modules/wait-port                                 web3.js
webpack                                     4.46.0    4.46.0  5.74.0  node_modules/webpack                                   web3.js
webpack-cli                                  4.9.1    4.10.0  4.10.0  node_modules/webpack-cli                               web3.js

After

Package                  Current    Wanted  Latest  Location                             Depended by
@ensdomains/resolver       0.2.4     0.2.4   0.3.1  node_modules/@ensdomains/resolver    web3.js
@types/bignumber.js        4.0.3     4.0.3   5.0.0  node_modules/@types/bignumber.js     web3.js
@types/node             12.20.55  12.20.55  18.8.5  node_modules/@types/node             web3.js
@types/prettier            2.6.0     2.6.0   2.7.1  node_modules/@types/prettier         web3.js
browserify                16.5.2    16.5.2  17.0.0  node_modules/browserify              web3.js
buffer                     4.9.2     4.9.2   6.0.3  node_modules/buffer                  web3.js
clean-webpack-plugin       3.0.0     3.0.0   4.0.0  node_modules/clean-webpack-plugin    web3.js
crypto-js                  3.3.0     3.3.0   4.1.1  node_modules/crypto-js               web3.js
karma-browserify           7.0.0     7.0.0   8.1.0  node_modules/karma-browserify        web3.js
karma-firefox-launcher     1.3.0     1.3.0   2.1.2  node_modules/karma-firefox-launcher  web3.js
karma-spec-reporter       0.0.32    0.0.32  0.0.34  node_modules/karma-spec-reporter     web3.js
lerna                      4.0.0     4.0.0   6.0.0  node_modules/lerna                   web3.js
mocha                      6.2.3     6.2.3  10.0.0  node_modules/mocha                   web3.js
nyc                       14.1.1    14.1.1  15.1.0  node_modules/nyc                     web3.js
pify                       4.0.1     4.0.1   6.1.0  node_modules/pify                    web3.js
ts-node                    9.1.1     9.1.1  10.9.1  node_modules/ts-node                 web3.js
typescript                3.9.10    3.9.10   4.8.4  node_modules/typescript              web3.js
wait-port                 0.2.14    0.2.14   1.0.3  node_modules/wait-port               web3.js
webpack                   4.46.0    4.46.0  5.74.0  node_modules/webpack                 web3.js

@spacesailor24 spacesailor24 mentioned this pull request Oct 13, 2022
Closed
4 tasks
@spacesailor24
Copy link
Contributor Author

spacesailor24 commented Oct 13, 2022
edited 

npm WARN deprecated ganache-cli@6.12.2: ganache-cli is now ganache; visit https://trfl.io/g7 for details
npm WARN deprecated testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
npm WARN deprecated read-package-tree@5.3.1: The functionality that this package provided is now in @npmcli/arborist
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated iltorb@2.4.5: The zlib module provides APIs for brotli compression/decompression starting with Node.js v10.16.0, please use it over iltorb
npm WARN deprecated @ensdomains/ens@0.6.2: Please use @ensdomains/ens-contracts
npm WARN deprecated @ensdomains/resolver@0.2.4: Please use @ensdomains/ens-contracts

> postinstall
> npm run bootstrap


> bootstrap
> lerna bootstrap --hoist

lerna notice cli v4.0.0
lerna info Bootstrapping 23 packages
lerna WARN ECYCLE Dependency cycles detected, you should fix these!
lerna WARN ECYCLE web3-eth-ens -> web3-eth -> web3-eth-ens
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @babel/cli@^7.12.1, which differs from the more common @babel/cli@^7.12.10.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @babel/cli@^7.12.10, which differs from the hoisted @babel/cli@^7.12.1.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-core" package depends on @babel/cli@^7.12.10, which differs from the hoisted @babel/cli@^7.12.1.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @babel/core@^7.12.3, which differs from the more common @babel/core@^7.12.10.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @babel/core@^7.12.10, which differs from the hoisted @babel/core@^7.12.3.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-core" package depends on @babel/core@^7.12.10, which differs from the hoisted @babel/core@^7.12.3.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @babel/plugin-transform-runtime@^7.12.1, which differs from the more common @babel/plugin-transform-runtime@^7.12.10.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @babel/plugin-transform-runtime@^7.12.10, which differs from the hoisted @babel/plugin-transform-runtime@^7.12.1.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @babel/preset-env@^7.12.1, which differs from the more common @babel/preset-env@^7.12.11.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @babel/preset-env@^7.12.11, which differs from the hoisted @babel/preset-env@^7.12.1.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-core" package depends on @babel/preset-env@^7.12.11, which differs from the hoisted @babel/preset-env@^7.12.1.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @babel/preset-typescript@^7.12.1, which differs from the more common @babel/preset-typescript@^7.12.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @babel/preset-typescript@^7.12.7, which differs from the hoisted @babel/preset-typescript@^7.12.1.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-core" package depends on @babel/preset-typescript@^7.12.7, which differs from the hoisted @babel/preset-typescript@^7.12.1.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @babel/runtime@^7.12.1, which differs from the more common @babel/runtime@^7.12.5.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @babel/runtime@^7.12.5, which differs from the hoisted @babel/runtime@^7.12.1.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on @types/node@^12.12.68, which differs from the more common @types/node@^12.12.6.
lerna WARN EHOIST_PKG_VERSION "web3-bzz" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-core-helpers" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-core" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-eth-personal" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-providers-ipc" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-shh" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3" package depends on @types/node@^12.12.6, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on @types/node@^14.11.2, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-core" package depends on @types/node@^14.14.22, which differs from the hoisted @types/node@^12.12.68.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on bignumber.js@^9.0.1, which differs from the more common bignumber.js@^9.0.0.
lerna WARN EHOIST_PKG_VERSION "web3-core" package depends on bignumber.js@^9.0.0, which differs from the hoisted bignumber.js@^9.0.1.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on ethereumjs-util@^7.1.0, which differs from the more common ethereumjs-util@^7.0.10.
lerna WARN EHOIST_PKG_VERSION "web3-eth-accounts" package depends on ethereumjs-util@^7.0.10, which differs from the hoisted ethereumjs-util@^7.1.0.
lerna WARN EHOIST_ROOT_VERSION The repository root depends on typescript@^3.9.7, which differs from the more common typescript@^3.9.5.
lerna WARN EHOIST_PKG_VERSION "web3-bzz" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-core-helpers" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-core-method" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-core-subscriptions" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-core" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth-abi" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth-accounts" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth-contract" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth-ens" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth-iban" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth-personal" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-net" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-providers-http" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-providers-ipc" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-providers-ws" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-shh" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-utils" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3" package depends on typescript@^3.9.5, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on typescript@^4.0.3, which differs from the hoisted typescript@^3.9.7.
lerna WARN EHOIST_PKG_VERSION "web3-eth2-beaconchain" package depends on jest@^26.4.2, which differs from the hoisted jest@^26.5.3.
lerna info Installing external dependencies
lerna info hoist Installing hoisted dependencies into root
lerna info hoist Pruning hoisted dependencies
lerna info hoist Finished pruning hoisted dependencies
lerna info hoist Finished bootstrapping root
lerna info Symlinking packages and binaries
lerna WARN ECYCLE Dependency cycles detected, you should fix these!
lerna WARN ECYCLE web3-eth-ens -> web3-eth -> web3-eth-ens
lerna WARN ECYCLE Dependency cycles detected, you should fix these!
lerna WARN ECYCLE web3-eth-ens -> web3-eth -> web3-eth-ens
lerna info lifecycle web3-bzz@1.8.0~postinstall: web3-bzz@1.8.0
lerna info lifecycle web3-shh@1.8.0~postinstall: web3-shh@1.8.0

> web3-bzz@1.8.0 postinstall /home/anon/Public/code/ChainSafe/git-repos/web3.js/packages/web3-bzz
> echo "WARNING: the web3-bzz api will be deprecated in the next version"

WARNING: the web3-bzz api will be deprecated in the next version

> web3-shh@1.8.0 postinstall /home/anon/Public/code/ChainSafe/git-repos/web3.js/packages/web3-shh
> echo "WARNING: the web3-shh api will be deprecated in the next version"

WARNING: the web3-shh api will be deprecated in the next version
lerna info lifecycle web3@1.8.0~postinstall: web3@1.8.0

> web3@1.8.0 postinstall /home/anon/Public/code/ChainSafe/git-repos/web3.js/packages/web3
> echo "Web3.js 4.x alpha has been released for early testing and feedback. Checkout doc at https://docs.web3js.org/ "

Web3.js 4.x alpha has been released for early testing and feedback. Checkout doc at https://docs.web3js.org/ 
lerna WARN ECYCLE Dependency cycles detected, you should fix these!
lerna WARN ECYCLE web3-eth-ens -> web3-eth -> web3-eth-ens
lerna WARN ECYCLE Dependency cycles detected, you should fix these!
lerna WARN ECYCLE web3-eth-ens -> web3-eth -> web3-eth-ens
lerna success Bootstrapped 23 packages

added 1850 packages, and audited 1951 packages in 26s

152 packages are looking for funding
  run `npm fund` for details

22 vulnerabilities (5 moderate, 10 high, 7 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
# npm audit report

ansi-regex  4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ganache-cli/node_modules/ansi-regex

elliptic  <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
fix available via `npm audit fix`
node_modules/ganache-cli/node_modules/elliptic

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install karma-browserify@8.1.0, which is a breaking change
node_modules/watchify/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchify/node_modules/chokidar
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchify  3.0.0 - 3.11.1
    Depends on vulnerable versions of chokidar
    node_modules/watchify
      karma-browserify  4.1.0 - 8.0.0
      Depends on vulnerable versions of watchify
      node_modules/karma-browserify
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack

parse-path  <5.0.0
Severity: high
Authorization Bypass in parse-path - https://github.com/advisories/GHSA-3j8f-xvm3-ffx4
fix available via `npm audit fix --force`
Will install lerna@6.0.0, which is a breaking change
node_modules/parse-path
  parse-url  <=8.0.0
  Depends on vulnerable versions of parse-path
  node_modules/parse-url
    git-up  <=6.0.0
    Depends on vulnerable versions of parse-url
    node_modules/git-up
      git-url-parse  4.0.0 - 12.0.0
      Depends on vulnerable versions of git-up
      node_modules/git-url-parse
        @lerna/github-client  <=5.5.1
        Depends on vulnerable versions of git-url-parse
        node_modules/@lerna/github-client
          @lerna/version  3.11.0 - 5.5.1 || 5.5.3
          Depends on vulnerable versions of @lerna/github-client
          node_modules/@lerna/version
            @lerna/publish  3.11.0 - 5.5.1 || 5.5.3
            Depends on vulnerable versions of @lerna/version
            node_modules/@lerna/publish
            lerna  3.11.0 - 5.5.1
            Depends on vulnerable versions of @lerna/version
            node_modules/lerna

parse-url  <=8.0.0
Severity: critical
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url  - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2
Depends on vulnerable versions of parse-path
fix available via `npm audit fix --force`
Will install lerna@6.0.0, which is a breaking change
node_modules/parse-url
  git-up  <=6.0.0
  Depends on vulnerable versions of parse-url
  node_modules/git-up
    git-url-parse  4.0.0 - 12.0.0
    Depends on vulnerable versions of git-up
    node_modules/git-url-parse
      @lerna/github-client  <=5.5.1
      Depends on vulnerable versions of git-url-parse
      node_modules/@lerna/github-client
        @lerna/version  3.11.0 - 5.5.1 || 5.5.3
        Depends on vulnerable versions of @lerna/github-client
        node_modules/@lerna/version
          @lerna/publish  3.11.0 - 5.5.1 || 5.5.3
          Depends on vulnerable versions of @lerna/version
          node_modules/@lerna/publish
          lerna  3.11.0 - 5.5.1
          Depends on vulnerable versions of @lerna/version
          node_modules/lerna

y18n  4.0.0
Severity: high
Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix`
node_modules/ganache-cli/node_modules/y18n

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/solc/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  node_modules/solc/node_modules/yargs
    solc  0.3.6 - 0.4.26
    Depends on vulnerable versions of yargs
    node_modules/solc
      @ensdomains/ens  *
      Depends on vulnerable versions of solc
      node_modules/@ensdomains/ens

22 vulnerabilities (5 moderate, 10 high, 7 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

@spacesailor24
Copy link
Contributor Author

PR #5531 attempted to update ganache-cli to ganache which would've reduced the vulnerabilities by 2:

19 vulnerabilities (4 moderate, 8 high, 7 critical)

@spacesailor24 spacesailor24 marked this pull request as ready for review October 18, 2022 16:29
@spacesailor24 spacesailor24 requested a review from a team October 18, 2022 16:29
@spacesailor24 spacesailor24 self-assigned this Oct 18, 2022
@spacesailor24 spacesailor24 mentioned this pull request Oct 19, 2022
Closed
jdevcs
jdevcs requested changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@jdevcs jdevcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changelog update required

jdevcs
jdevcs requested changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@jdevcs jdevcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also update uuid to latest as mentioned in issue scope,

web3.js/packages/web3-eth-accounts/package.json

Line 23 in cde3995

"uuid": "3.3.2",
+ discussed there is only one instance of its usage in accounts package. ( #4675 )

@spacesailor24
Copy link
Contributor Author

changelog update required

@jdevcs Addressed via this commit - I'm not sure what else to say, getting a list of bumped packages isn't readily available

@spacesailor24
Copy link
Contributor Author

Also update uuid to latest as mentioned in issue scope,

web3.js/packages/web3-eth-accounts/package.json

Line 23 in cde3995

"uuid": "3.3.2",

@jdevcs Addressed via this commit

@spacesailor24 spacesailor24 requested review from jdevcs and a team October 19, 2022 21:49
avkos
avkos requested changes Oct 20, 2022
View reviewed changes
Copy link
Contributor

@avkos avkos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like you need to fix one test https://github.com/web3/web3.js/actions/runs/3285222756/jobs/5420005313

This was referenced Mar 3, 2023
Open
Open
Open
Open
This was referenced Mar 3, 2023
Open
Open
Open
Open
Open
This was referenced Mar 7, 2023
Open
Open
Open
Open
Open
Open
Open
This was referenced Mar 7, 2023
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Mar 20, 2023
Open
Open
Open
@snyk-bot snyk-bot mentioned this pull request Mar 20, 2023
Open
@legobeat legobeat mentioned this pull request Sep 26, 2023
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avkos avkos avkos approved these changes

@jdevcs jdevcs jdevcs approved these changes

Assignees

@spacesailor24 spacesailor24

Labels
1.x 1.0 related issues dependencies Updates dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1.x dependencies update
4 participants
@spacesailor24 @coveralls @avkos @jdevcs