scodec-bits
scodec-bits copied to clipboard
Published
20 hours ago •
scodec
scodec
Upgrading scodec bits from `1.1.30` -> `1.1.3x` results in failure
trafficstars
The stack trace looks like this on the PR: https://github.com/bitcoin-s/bitcoin-s/runs/6490536713?check_suite_focus=true#step:5:415
This seems to be a regression introduced in 1.1.31
coreTestJS/test
[info] Updating NPM dependencies
[error] npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
[error] npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
[error] npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
[error] npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
[error] npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
[error] npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
[error] npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
[error] npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
[info] added 612 packages, and audited 613 packages in 51s
[info] 26 packages are looking for funding
[info] run `npm fund` for details
[info] 14 vulnerabilities (6 moderate, 5 high, 3 critical)
[info] To address issues that do not require attention, run:
[info] npm audit fix
[info] To address all issues, run:
[info] npm audit fix --force
[info] Run `npm audit` for details.
[info] Fast optimizing /home/chris/dev/bitcoin-s/core-test/.js/target/scala-2.13/bitcoin-s-core-test-test-fastopt
[error] Referring to non-existent class java.security.SecureRandom
[error] called from private java.util.UUID$.csprng$lzycompute()java.util.Random
[error] called from private java.util.UUID$.csprng()java.util.Random
[error] called from java.util.UUID$.randomUUID()java.util.UUID
[error] called from static java.util.UUID.randomUUID()java.util.UUID
[error] called from org.scalatest.tools.TestSortingReporter.distributingTest(java.lang.String)void
[error] called from private org.scalatest.AsyncSuperEngine.$anonfun$runTestImpl$1(java.lang.String,org.scalatest.DistributedTestSorter)void
[error] called from org.scalatest.AsyncSuperEngine.runTestImpl(org.scalatest.Suite,java.lang.String,org.scalatest.Args,boolean,boolean,scala.Function2,scala.concurrent.ExecutionContext)org.scalatest.Status
[error] called from org.scalatest.flatspec.AsyncFlatSpecLike.runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
[error] called from org.bitcoins.core.util.FutureUtilTest.org$scalatest$BeforeAndAfter$$super$runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
[error] called from org.scalatest.BeforeAndAfter.runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
[error] called from org.bitcoins.core.util.FutureUtilTest.runTest(java.lang.String,org.scalatest.Args)org.scalatest.Status
Hm, scodec-bits doesn't call UUID.randomUUID and the stack trace looks like it's coming from ScalaTest? Any ideas @armanbilge?
Yup, this is https://github.com/scala-js/scala-js/security/advisories/GHSA-j2f9-w8wh-9ww4. You should be able to reproduce it by updating to Scala.js 1.10 without updating scodec-bits.
See the Scala.js release notes about how to upgrade to 1.10. https://www.scala-js.org/news/2022/04/04/announcing-scalajs-1.10.0/
