eth-provider
eth-provider copied to clipboard
There is a vulnerability introduced in your package
Hi, @floating @mholtzman,I’d like to report a vulnerability introduced in your package eth-provider:
Issue Description
A vulnerability CVE-2021-32640 detected in package ws(<5.2.3,>=6.0.0 <6.2.2,>=7.0.0 <7.4.6) is directly referenced by [email protected]. We noticed that such a vulnerability has been removed since [email protected].
However, eth-provider's popular previous version [email protected] (4,847 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 32 downstream projects, e.g., use-wallet 0.9.0, @binance-chain/bsc-use-wallet 0.8.1, @sekmet/next-auth 0.1.49, cryptowalletconnector 1.0.14, hubot-kredits 3.8.0, @aragon/[email protected], etc.). As such, issue CVE-2021-32640 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade eth-provider from version 0.2.5 to (>=0.7.0). For instance, [email protected] is introduced into the above projects via the following package dependency paths:
(1)@aragon/[email protected] ➔ [email protected] ➔ @web3-react/[email protected] ➔ [email protected] ➔ [email protected]
......
The projects such as @web3-react/frame-connector, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade eth-provider nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package [email protected]?
Suggested Solution
Since these inactive projects set a version constaint 0.2.* for eth-provider on the above vulnerable dependency paths, if eth-provider removes the vulnerability from 0.2.5 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the 32 affected downstream projects.
In [email protected], you can kindly try to perform the following upgrade:
ws 7.1.2 ➔ 7.4.6
;
Note:
[email protected] has fixed the vulnerability (CVE-2021-32640)
Thank you for your help.
Best regards, Paimon