MultiCurrencyWallet icon indicating copy to clipboard operation
MultiCurrencyWallet copied to clipboard

Published 20 hours ago verified publisher icon swaponline

58 vulnerabilities in dependencies

Open javiermarcon opened this issue 1 year ago • 0 comments

Screenshot or description

There are 58 vulnerabilities in this package dependecies (8 low, 35 moderate, 14 high, 1 critical)

Tried to fix them but most of them have breaking changes.

$ npm audit fix npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react npm WARN react@"^17.0.1" from the root project npm WARN 28 more (@web3-react/core, ...) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from [email protected] npm WARN node_modules/react-document-meta/node_modules/react-side-effect npm WARN react-side-effect@"^1.1.0" from [email protected] npm WARN node_modules/react-document-meta npm WARN npm WARN Conflicting peer dependency: [email protected] npm WARN node_modules/react npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from [email protected] npm WARN node_modules/react-document-meta/node_modules/react-side-effect npm WARN react-side-effect@"^1.1.0" from [email protected] npm WARN node_modules/react-document-meta

up to date, audited 2787 packages in 1m

313 packages are looking for funding run npm fund for details

npm audit report

axios 0.8.1 - 0.27.2 Severity: moderate Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/@json-rpc-tools/provider/node_modules/axios node_modules/axios @json-rpc-tools/provider <=2.0.0-beta.1 Depends on vulnerable versions of axios node_modules/@json-rpc-tools/provider eip1193-provider >=1.0.0 Depends on vulnerable versions of @json-rpc-tools/provider node_modules/eip1193-provider @walletconnect/ethereum-provider <=2.4.3 Depends on vulnerable versions of eip1193-provider node_modules/@walletconnect/ethereum-provider @web3-react/walletconnect-connector >=6.2.6 Depends on vulnerable versions of @walletconnect/ethereum-provider node_modules/@web3-react/walletconnect-connector

elliptic <=6.5.3 Severity: high Elliptic Uses a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w Signature Malleabillity in elliptic - https://github.com/advisories/GHSA-vh7m-p724-62c2 No fix available node_modules/ghost-bitcore-lib/node_modules/elliptic ghost-bitcore-lib
Depends on vulnerable versions of elliptic Depends on vulnerable versions of lodash node_modules/ghost-bitcore-lib

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/package-json/node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier ava 0.1.0 - 4.0.0-rc.1 Depends on vulnerable versions of update-notifier node_modules/ava

jpeg-js <=0.4.3 Severity: high Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6 Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js node_modules/resize-img/node_modules/jpeg-js jimp <=0.3.5 Depends on vulnerable versions of jpeg-js Depends on vulnerable versions of mkdirp Depends on vulnerable versions of request Depends on vulnerable versions of url-regex node_modules/resize-img/node_modules/jimp resize-img <=1.1.2 Depends on vulnerable versions of jimp Depends on vulnerable versions of jpeg-js node_modules/resize-img to-ico >=1.1.0 Depends on vulnerable versions of resize-img node_modules/to-ico favicons 4.8.3 - 7.1.1 Depends on vulnerable versions of sharp Depends on vulnerable versions of to-ico Depends on vulnerable versions of xml2js node_modules/favicons

json5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/find-babel-config/node_modules/json5 find-babel-config <=1.2.0 Depends on vulnerable versions of json5 node_modules/find-babel-config babel-plugin-module-resolver 2.3.0 - 4.1.0 Depends on vulnerable versions of find-babel-config node_modules/babel-plugin-module-resolver

libp2p <=0.38.0-fc2224a Severity: high libp2p DoS vulnerability from lack of resource management - https://github.com/advisories/GHSA-f44q-634c-jvwv Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of node-forge Depends on vulnerable versions of peer-id fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/libp2p

lodash <=4.17.20 Severity: high Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm fix available via npm audit fix node_modules/ghost-bitcore-lib/node_modules/lodash

minimist <=0.2.3 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/resize-img/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/resize-img/node_modules/mkdirp

node-fetch <2.6.7 Severity: high node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/puppeteer/node_modules/node-fetch puppeteer 10.0.0 - 13.1.1 Depends on vulnerable versions of node-fetch node_modules/puppeteer

node-forge <=1.2.1 Severity: high Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5 Prototype Pollution in node-forge util.setPath API - https://github.com/advisories/GHSA-wxgw-qj99-44c2 URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-2r2c-g63r-vccr Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765 Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/libp2p-secio/node_modules/node-forge node_modules/libp2p-secio/node_modules/peer-id/node_modules/node-forge node_modules/node-forge libp2p-crypto <=0.6.1 || 0.12.0 - 0.21.1 Depends on vulnerable versions of node-forge node_modules/libp2p-crypto node_modules/libp2p-interfaces/node_modules/libp2p-crypto node_modules/libp2p-secio/node_modules/libp2p-crypto node_modules/libp2p-secio/node_modules/peer-id/node_modules/libp2p-crypto node_modules/peer-id/node_modules/libp2p-crypto libp2p-interfaces <=1.3.1 Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of peer-id node_modules/libp2p-interfaces node_modules/libp2p-secio/node_modules/libp2p-interfaces libp2p-gossipsub <=0.11.5 Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of peer-id node_modules/libp2p-gossipsub libp2p-kad-dht 0.6.3 - 0.27.0 Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of peer-id node_modules/libp2p-kad-dht libp2p-secio <=0.5.0 || >=0.9.1 Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of peer-id node_modules/libp2p-secio peer-id 0.7.0 || 0.10.5 - 0.15.4 Depends on vulnerable versions of libp2p-crypto node_modules/libp2p-secio/node_modules/peer-id node_modules/peer-id libp2p-bootstrap <=0.13.0 Depends on vulnerable versions of peer-id node_modules/libp2p-bootstrap libp2p-webrtc-star 0.2.0 - 0.4.5 || 0.13.4 - 0.24.1 Depends on vulnerable versions of peer-id node_modules/libp2p-webrtc-star

request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/request request-promise-cache * Depends on vulnerable versions of request node_modules/request-promise-cache request-promise-core * Depends on vulnerable versions of request node_modules/request-promise-core request-promise-native >=1.0.0 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/request-promise-native servify * Depends on vulnerable versions of request node_modules/servify eth-lib 0.1.24 - 0.1.29 Depends on vulnerable versions of servify node_modules/eth-lib swarm-js >=0.1.36 Depends on vulnerable versions of eth-lib node_modules/swarm-js web3-bzz * Depends on vulnerable versions of swarm-js node_modules/web3-bzz web3 1.0.0-beta.1 - 3.0.0-rc.0 Depends on vulnerable versions of web3-bzz node_modules/web3 @1inch/limit-order-protocol >=1.4.0 Depends on vulnerable versions of web3 node_modules/@1inch/limit-order-protocol web3-provider-engine * Depends on vulnerable versions of ethereumjs-block Depends on vulnerable versions of ethereumjs-vm Depends on vulnerable versions of request node_modules/web3-provider-engine @walletconnect/web3-provider * Depends on vulnerable versions of web3-provider-engine node_modules/@walletconnect/web3-provider

semver >=7.0.0 <7.5.2 || <5.7.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available node_modules/levelup/node_modules/semver node_modules/simple-update-notifier/node_modules/semver levelup 0.9.0 - 1.3.9 Depends on vulnerable versions of semver node_modules/levelup merkle-patricia-tree 0.1.22 - 2.3.2 Depends on vulnerable versions of levelup node_modules/merkle-patricia-tree ethereumjs-block >=0.0.3 Depends on vulnerable versions of merkle-patricia-tree node_modules/ethereumjs-block node_modules/ethereumjs-vm/node_modules/ethereumjs-block ethereumjs-vm >=0.1.1 Depends on vulnerable versions of ethereumjs-block Depends on vulnerable versions of merkle-patricia-tree node_modules/ethereumjs-vm simple-update-notifier 1.0.7 - 1.1.0 Depends on vulnerable versions of semver node_modules/simple-update-notifier nodemon 2.0.19 - 2.0.22 Depends on vulnerable versions of simple-update-notifier node_modules/nodemon

sharp <=0.32.5 Severity: high sharp vulnerable to Command Injection in post-installation over build environment - https://github.com/advisories/GHSA-gp95-ppv5-3jc5 sharp vulnerability in libwebp dependency CVE-2023-4863 - https://github.com/advisories/GHSA-54xq-cgqr-rpm3 fix available via npm audit fix node_modules/sharp

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/request-promise-native/node_modules/tough-cookie node_modules/request/node_modules/tough-cookie

url-regex * Severity: high Regular expression denial of service in url-regex - https://github.com/advisories/GHSA-v4rh-8p82-6h5w fix available via npm audit fix node_modules/url-regex

xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/xml2js

58 vulnerabilities (8 low, 35 moderate, 14 high, 1 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues possible (including breaking changes), run: npm audit fix --force

Some issues need review, and may require choosing a different dependency.

Steps to reproduce

nvm install 18 npm i

Environment

  • Domain: not set
  • Mainnet or Testnet: testnet
  • Browser: any
  • OS: Ubuntu 23.10

Your version

  • [ x] latest
  • [ ] not latest (please try to upgrade first)
  • [ ] not sure

Does this affect atomic swap flow?

  • [ x] yes
  • [ ] no

Are real funds at risk?

  • [ ] yes
  • [x ] no

javiermarcon avatar Feb 26 '24 11:02 javiermarcon