hashgraph
Review Snyk Report
Problem
There are some issues Synk has reported that need to be reviewed.
Solution
Review items found by Snyk.
Alternatives
No response
I have no access to the snyk portal. I've contacted Jacob Rodriguez and I'm currently waiting for access.
I have addressed the issues (bumping up versions) which had a fix available in the snyk portal. After the PR is merged I will run a new scan, check it and describe the remaining issues, which are not fixable for the moment.
NOTE: If possible it's a good idea for someone else also to check the report.
In the root package.json file there is one type of critical vulnerability - elliptic - Improper Verification of Cryptographic Signature, which is coming from [email protected] and is fixed in version 6.5.7, but we cannot update it directly, since the dependency hierarchy is the following:
@hashgraph/[email protected] › @ethersproject/[email protected] › @ethersproject/[email protected] › @ethersproject/[email protected] › @ethersproject/[email protected] › @ethersproject/[email protected] › @ethersproject/[email protected] › [email protected]
In the examples/react-native-example/package.json file there is the same critical vulnerability for [email protected], but also the @babel/traverse - Incomplete List of Disallowed Inputsone. This is theoretically fixable by upgrading expo to v50.0.0, but as can be seen in the comments of PR #2594, this update is postponed and details about the reason can be found in #2361
There are no other critical issues and all other issues (high or medium) are currently not fixable.