alchemy-sdk-js icon indicating copy to clipboard operation
alchemy-sdk-js copied to clipboard

Published 20 hours ago verified publisher icon alchemyplatform

FR: remove @ethersproject/providers as a dependency in favor of ethers

Open aaronzshey opened this issue 1 year ago • 1 comments

Currently, this sdk depends on @ethersproject/[email protected], which was released two years ago! Not only is this a really long time, this package also depends on a vulnerable release of ws. Here's the npm warning from installing alchemy-sdk right now:

ws  2.1.0 - 5.2.3 || 7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install @alch/[email protected], which is a breaking change
node_modules/@ethersproject/providers/node_modules/ws
node_modules/eth-lib/node_modules/ws
  @ethersproject/providers  <=5.7.2
  Depends on vulnerable versions of ws
  node_modules/@ethersproject/providers
    alchemy-sdk  *
    Depends on vulnerable versions of @ethersproject/providers
    node_modules/alchemy-sdk

This offending package is currently only mentioned 5 times. All of these uses can be replaced with ethers, except for two:

CommunityResourceable: this export is currently commented out in the ethers GitHub. I've opened an issue with them asking why. Formatter: the formatter appears to be widely used, but I was unable to find a corresponding method in ethers (yet). We could either find an import a solution from ethers, or just use the code from providers, as exposed on npm (src.ts/formatter.ts).

Given that the formatter code has already been modified and included in the project in the form of the getFilter function, I'm leaning towards just eliminating the import of formatter from an external library.

Thoughts?

aaronzshey avatar Jun 27 '24 01:06 aaronzshey

A quick update: The next minor bump of ethers will bring back CommunityResourceable.

@ethersproject/providers uses the MIT license, giving us "Permission ... to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software".

I'll link a PR when the next minor ver of ethers comes out

aaronzshey avatar Jun 28 '24 18:06 aaronzshey

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs

github-actions[bot] avatar Jul 30 '24 01:07 github-actions[bot]

Just commenting to make sure this issue is kept open.

zartosht avatar Aug 24 '24 05:08 zartosht