polymath-core icon indicating copy to clipboard operation
polymath-core copied to clipboard

Published 20 hours ago verified publisher icon PolymathNetwork

[Snyk] Security upgrade web3-provider-engine from 15.0.0 to 17.0.0

Open knanjukutty-polymath opened this issue 10 months ago • 0 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
⚠️ Warning 
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 159/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00132, Social Trends: No, Days since published: 742, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5		 Prototype Pollution
SNYK-JS-ASYNC-2441827		 Yes Proof of Concept
medium severity 112/1000
Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00116, Social Trends: No, Days since published: 1170, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 6.65, Likelihood: 1.67, Score Version: V5		 Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899		 Yes No Known Exploit
medium severity 75/1000
Why? Confidentiality impact: Low, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Adjacent, EPSS: 0.01055, Social Trends: No, Days since published: 1618, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.03, Likelihood: 1.07, Score Version: V5		 Timing Attack
SNYK-JS-ELLIPTIC-511941		 Yes No Known Exploit
high severity 221/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00353, Social Trends: No, Days since published: 1401, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.08, Likelihood: 2.43, Score Version: V5		 Cryptographic Issues
SNYK-JS-ELLIPTIC-571484		 Yes Proof of Concept
medium severity 63/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1158, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 Yes Proof of Concept
high severity 239/1000
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00606, Social Trends: No, Days since published: 1158, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.43, Score Version: V5		 Command Injection
SNYK-JS-LODASH-1040724		 Yes Proof of Concept
high severity 188/1000
Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01036, Social Trends: No, Days since published: 1451, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.03, Likelihood: 2.67, Score Version: V5		 Prototype Pollution
SNYK-JS-LODASH-567746		 Yes Proof of Concept
high severity 150/1000
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1336, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5		 Prototype Pollution
SNYK-JS-LODASH-608086		 Yes Proof of Concept
high severity 170/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 3, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.83, Score Version: V5		 Prototype Pollution
SNYK-JS-LODASH-6139239		 Yes Proof of Concept
high severity 169/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 303, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: web3-provider-engine The new version differs by 126 commits.
  • c980e52 Release 17.0.0 (#474)
  • 0e45c90 devDeps: [email protected]>ganache@^7.9.2 (#473)
  • 5400086 devDeps: ethjs@^0.3.6 -> @ metamask/ethjs@^0.6.0 (#470)
  • c8335a1 Bump express from 4.18.2 to 4.19.2 (#472)
  • e9849a7 chore: bump runtime deps (#471)
  • 7dc8cc1 chore: Add deprecation notice (#469)
  • 2b354fd Update security code scanner file (#468)
  • 5b15643 Bump es5-ext from 0.10.62 to 0.10.64 (#466)
  • f67b49e Enabling MetaMask security code scanner (#467)
  • f131161 Bump browserify-sign from 4.2.1 to 4.2.2 (#464)
  • 01c8dc8 sync v16.x changes (#463)
  • f68b6e4 devDeps: tape@^4.4.0->^5.7.1 (#460)
  • d5da4c8 devDeps(test): replace ethereumjs-util with @ ethereumjs/util,ethereum-cryptography (#457)
  • a3d4dd6 fix(etherscan,rpc): fix require of @ cypress/request (#458)
  • 5a95dc6 devDeps: browserify@^16.5.0->^17.0.0 (#456)
  • 4edf2ba ci: run bundle as part of build-lint-test workflow (#455)
  • fb5c25e babelify dependencies (#454)
  • 02afa4c deps: readable-stream@^2.2.9->^3.6.2 (#452)
  • 7e28f6d deps: Bump ethereumjs and metamask packages (#453)
  • f92ca6f BREAKING: Increase minimum Node.js version to 16 (#447)
  • 730bd5c deps: lockbump minimist (#445)
  • 06ac733 Release 16.0.6 (#449)
  • d0d93b9 devDeps: bump babel packages (#450)
  • e131674 ci: run on ubuntu-latest(22.04) instead of ubuntu-20.04 (#448)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution 🦉 Cryptographic Issues 🦉 Regular Expression Denial of Service (ReDoS) 🦉 More lessons are available in Snyk Learn

knanjukutty-polymath avatar Apr 19 '24 00:04 knanjukutty-polymath