[Snyk] Upgrade: , , web3 #55

BitcoinOutput · 2024-09-06T22:47:52Z

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@openzeppelin/contracts
from 4.0.0 to 4.9.6 | 39 versions ahead of your current version | 6 months ago
on 2024-02-29
@truffle/hdwallet-provider
from 1.3.0 to 1.7.0 | 12 versions ahead of your current version | 3 years ago
on 2021-11-19
web3
from 1.2.1 to 1.10.4 | 80 versions ahead of your current version | 7 months ago
on 2024-02-05

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	589	No Known Exploit
Improper Verification of Cryptographic Signature SNYK-JS-OPENZEPPELINCONTRACTS-2980279	589	No Known Exploit
Denial of Service (DoS) SNYK-JS-OPENZEPPELINCONTRACTS-5425827	589	No Known Exploit
Privilege Escalation SNYK-JS-OPENZEPPELINCONTRACTS-1570170	589	No Known Exploit
Deserialization of Untrusted Data SNYK-JS-OPENZEPPELINCONTRACTS-2320176	589	No Known Exploit
Information Exposure SNYK-JS-OPENZEPPELINCONTRACTS-2958047	589	No Known Exploit
Deserialization of Untrusted Data SNYK-JS-OPENZEPPELINCONTRACTS-6056529	589	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579155	589	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579147	589	No Known Exploit
Information Exposure SNYK-JS-SIMPLEGET-2361683	589	Proof of Concept
Arbitrary File Overwrite SNYK-JS-TAR-1536528	589	No Known Exploit
Arbitrary File Overwrite SNYK-JS-TAR-1536531	589	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579152	589	No Known Exploit
Prototype Pollution SNYK-JS-ASYNC-2441827	589	Proof of Concept
Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	589	No Known Exploit
Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	589	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	589	Proof of Concept
Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	589	No Known Exploit
Prototype Poisoning SNYK-JS-QS-3153490	589	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	589	Proof of Concept
Improper Encoding or Escaping of Output SNYK-JS-OPENZEPPELINCONTRACTS-5838352	589	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	589	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	589	Proof of Concept
Open Redirect SNYK-JS-EXPRESS-6474509	589	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	589	No Known Exploit
Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	589	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	589	Proof of Concept
Denial of Service (DoS) SNYK-JS-OPENZEPPELINCONTRACTS-2965798	589	No Known Exploit
Prototype Pollution SNYK-JS-MINIMIST-2429795	589	Proof of Concept

Release notes

Package name: @openzeppelin/contracts

4.9.6 - 2024-02-29
- Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)
4.9.5 - 2023-12-08
- Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).
4.9.4 - 2023-12-07
- ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
- Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.
4.9.3 - 2023-07-28

Note
This release contains a fix for GHSA-g4vp-m682-qqmp.
- ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
- ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)
4.9.2 - 2023-06-16
4.9.1 - 2023-06-07
4.9.0 - 2023-05-23
4.9.0-rc.1 - 2023-05-17
4.9.0-rc.0 - 2023-05-09
4.8.3 - 2023-04-13
4.8.2 - 2023-03-02
4.8.1 - 2023-01-13
4.8.0 - 2022-11-08
4.8.0-rc.2 - 2022-10-17
4.8.0-rc.1 - 2022-09-23
4.8.0-rc.0 - 2022-09-07
4.7.3 - 2022-08-10
4.7.2 - 2022-07-27
4.7.1 - 2022-07-20
4.7.0 - 2022-06-29
4.7.0-rc.0 - 2022-06-07
4.6.0 - 2022-04-26
4.6.0-rc.0 - 2022-03-31
4.5.0 - 2022-02-09
4.5.0-rc.0 - 2022-01-13
4.4.2 - 2022-01-11
4.4.1 - 2021-12-14
4.4.0 - 2021-11-25
4.4.0-rc.1 - 2021-11-16
4.4.0-rc.0 - 2021-10-20
4.3.3 - 2021-11-12
4.3.2 - 2021-09-14
4.3.1 - 2021-08-26
4.3.0 - 2021-08-17
4.3.0-rc.0 - 2021-08-06
4.2.0 - 2021-06-30
4.2.0-rc.0 - 2021-06-23
4.1.0 - 2021-04-29
4.1.0-rc.0 - 2021-04-16
4.0.0 - 2021-03-23

from @openzeppelin/contracts GitHub release notes

Package name: @truffle/hdwallet-provider

1.7.0 - 2021-11-19
1.6.0 - 2021-11-05
1.5.1 - 2021-10-07
1.5.1-alpha.1 - 2021-09-13
1.5.1-alpha.0 - 2021-09-08
1.5.0 - 2021-08-22
1.4.3 - 2021-08-06
1.4.2 - 2021-07-24
1.4.2-hdwallet-signTypedMessage.0 - 2021-06-22
1.4.1 - 2021-06-18
1.4.0 - 2021-05-11
1.3.1 - 2021-05-07
1.3.0 - 2021-04-23

from @truffle/hdwallet-provider GitHub release notes

Package name: web3

1.10.4 - 2024-02-05
1.10.4-dev.0 - 2024-01-31
1.10.3 - 2023-10-18
1.10.3-dev.0 - 2023-10-16
1.10.2 - 2023-08-28
1.10.1 - 2023-08-14
1.10.1-rc.0 - 2023-08-08
1.10.0 - 2023-05-10
1.10.0-rc.0 - 2023-05-02
1.9.0 - 2023-03-20
1.9.0-rc.0 - 2023-03-07
1.8.2 - 2023-01-30
1.8.2-rc.0 - 2023-01-11
1.8.1 - 2022-11-10
1.8.1-rc.0 - 2022-10-28
1.8.0 - 2022-09-14
1.8.0-rc.0 - 2022-09-08
1.7.5 - 2022-08-01
1.7.5-rc.1 - 2022-07-19
1.7.5-rc.0 - 2022-07-15
1.7.4 - 2022-06-21
1.7.4-rc.2 - 2022-06-16
1.7.4-rc.1 - 2022-06-08
1.7.4-rc.0 - 2022-05-17
1.7.3 - 2022-04-08
1.7.3-rc.0 - 2022-04-07
1.7.2 - 2022-04-07
1.7.2-rc.0 - 2022-03-24
1.7.1 - 2022-03-03
1.7.1-rc.0 - 2022-02-10
1.7.0 - 2022-01-17
1.7.0-rc.0 - 2021-12-09
1.6.1 - 2021-11-15
1.6.1-rc.3 - 2021-11-10
1.6.1-rc.2 - 2021-10-27
1.6.1-rc.0 - 2021-10-09
1.6.0 - 2021-09-30
1.6.0-rc.0 - 2021-09-26
1.5.3 - 2021-09-22
1.5.3-rc.0 - 2021-09-10
1.5.2 - 2021-08-15
1.5.2-rc.0 - 2021-08-15
1.5.1 - 2021-08-05
1.5.1-rc.1 - 2021-08-05
1.5.1-rc.0 - 2021-07-31
1.5.0 - 2021-07-28
1.5.0-rc.1 - 2021-07-24
1.5.0-rc.0 - 2021-07-21
1.4.0 - 2021-06-30
1.4.0-rc.0 - 2021-06-25
1.3.6 - 2021-05-14
1.3.6-rc.2 - 2021-05-13
1.3.6-rc.1 - 2021-05-09
1.3.5 - 2021-04-05
1.3.5-rc.0 - 2021-03-24
1.3.4 - 2021-02-03
1.3.4-rc.2 - 2021-01-28
1.3.4-rc.1 - 2021-01-26
1.3.3 - 2021-01-22
1.3.2 - 2021-01-21
1.3.2-rc.2 - 2021-01-21
1.3.1 - 2020-12-17
1.3.0 - 2020-09-15
1.3.0-rc.0 - 2020-09-02
1.2.11 - 2020-07-18
1.2.10 - 2020-07-17
1.2.10-rc.0 - 2020-07-09
1.2.9 - 2020-06-09
1.2.9-rc.0 - 2020-06-02
1.2.8 - 2020-05-20
1.2.8-rc.1 - 2020-05-18
1.2.8-rc.0 - 2020-05-08
1.2.7 - 2020-04-24
1.2.7-rc.0 - 2020-04-15
1.2.6 - 2020-02-02
1.2.5 - 2020-01-27
1.2.5-rc.0 - 2020-01-16
1.2.4 - 2019-11-15
1.2.3 - 2019-11-14
1.2.2 - 2019-10-23
1.2.1 - 2019-08-06

from web3 GitHub release notes

Important

Check the changes in this PR to ensure they won't cause issues with your project.
This PR was automatically created by Snyk using the credentials of a real user.
Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

📜 Customise PR templates

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade: - @openzeppelin/contracts from 4.0.0 to 4.9.6. See this package in npm: https://www.npmjs.com/package/@openzeppelin/contracts - @truffle/hdwallet-provider from 1.3.0 to 1.7.0. See this package in npm: https://www.npmjs.com/package/@truffle/hdwallet-provider - web3 from 1.2.1 to 1.10.4. See this package in npm: https://www.npmjs.com/package/web3 See this project in Snyk: https://app.snyk.io/org/debuggineffect/project/0a7874f3-03cb-4e55-afee-26f516fb627e?utm_source=github&utm_medium=referral&page=upgrade-pr

guardrails · 2024-09-06T22:48:38Z

⚠️ We detected 2 security issues in this pull request:

Vulnerable Libraries (2)

Severity	Details
Critical	pkg:npm/@truffle/[email protected] (t) upgrade to: > 1.3.0
Critical	pkg:npm/[email protected] (t) upgrade to: > 1.2.1

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Upgrade: , , web3 #55

[Snyk] Upgrade: , , web3 #55

Uh oh!

BitcoinOutput commented Sep 6, 2024

Uh oh!

guardrails bot commented Sep 6, 2024

Uh oh!

Uh oh!

[Snyk] Upgrade: , , web3 #55

Are you sure you want to change the base?

[Snyk] Upgrade: , , web3 #55

Uh oh!

Conversation

BitcoinOutput commented Sep 6, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

Uh oh!

guardrails bot commented Sep 6, 2024

Uh oh!

Uh oh!