walletconnect-monorepo icon indicating copy to clipboard operation
walletconnect-monorepo copied to clipboard

Published 20 hours ago verified publisher icon WalletConnect

Current `walletconnect/web3-provider` has high severity vulnerabilities

Open carmen0208 opened this issue 2 years ago • 1 comments

Describe the bug A clear and concise description of what the bug is.

SDK Version (if relevant)

  • Version web3-provider 1.7.8

To Reproduce Steps to reproduce the behavior:

npm install @walletconnect/web3-provider
npm audit

Expected behavior No vulnerability that introduced by walletconnect/web3-provider.

Screenshots

async  >=3.0.0 <3.2.2 || <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
node_modules/async-eventemitter/node_modules/async
node_modules/ethereumjs-block/node_modules/async
node_modules/ethereumjs-vm/node_modules/async
node_modules/merkle-patricia-tree/node_modules/async
node_modules/portfinder/node_modules/async
node_modules/web3-provider-engine/node_modules/async
  merkle-patricia-tree  <=0.1.6 || 1.1.2 - 2.3.2
  Depends on vulnerable versions of async
  node_modules/merkle-patricia-tree
    ethereumjs-block  >=0.0.6
    Depends on vulnerable versions of merkle-patricia-tree
    node_modules/ethereumjs-block
    node_modules/ethereumjs-vm/node_modules/ethereumjs-block
      ethereumjs-vm  >=0.1.5
      Depends on vulnerable versions of ethereumjs-block
      Depends on vulnerable versions of merkle-patricia-tree
      node_modules/ethereumjs-vm
        web3-provider-engine  *
        Depends on vulnerable versions of ethereumjs-vm
        node_modules/web3-provider-engine
          @walletconnect/web3-provider  *
          Depends on vulnerable versions of web3-provider-engine
          node_modules/@walletconnect/web3-provider

carmen0208 avatar May 26 '22 06:05 carmen0208

As per https://github.com/MetaMask/web3-provider-engine

"This package was originally created for MetaMask and is being phased out in favor of json-rpc-engine and eth-json-rpc-middleware. As such, we will no longer be accepting changes to this package except those which address security issues."

Is there any progress on removing web3-provider-engine as a dependency?

cj-clifton avatar Jun 11 '22 05:06 cj-clifton

Is this still an issue?

finessevanes avatar Feb 16 '23 10:02 finessevanes

Web3-provider has been depricated in favour of newer packages.

Closing as completed :)

glitch-txs avatar Aug 06 '23 08:08 glitch-txs