Created
August 13, 2022 16:18
-
-
Save riptl/bd50d1cb2171bc923d7b03f93dfddacd to your computer and use it in GitHub Desktop.
Vulnerabilities in web3.js 1.7.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # npm audit report | |
| ansi-regex 4.0.0 - 4.1.0 | |
| Severity: high | |
| Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw | |
| fix available via `npm audit fix` | |
| node_modules/ganache-cli/node_modules/ansi-regex | |
| node_modules/yargs/node_modules/ansi-regex | |
| elliptic <6.5.4 | |
| Severity: moderate | |
| Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w | |
| fix available via `npm audit fix` | |
| node_modules/ganache-cli/node_modules/elliptic | |
| glob-parent <5.1.2 | |
| Severity: high | |
| glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 | |
| fix available via `npm audit fix --force` | |
| Will install karma-browserify@8.1.0, which is a breaking change | |
| node_modules/watchify/node_modules/glob-parent | |
| node_modules/watchpack-chokidar2/node_modules/glob-parent | |
| chokidar 1.0.0-rc1 - 2.1.8 | |
| Depends on vulnerable versions of glob-parent | |
| node_modules/watchify/node_modules/chokidar | |
| node_modules/watchpack-chokidar2/node_modules/chokidar | |
| watchify 3.0.0 - 3.11.1 | |
| Depends on vulnerable versions of chokidar | |
| node_modules/watchify | |
| karma-browserify 4.1.0 - 8.0.0 | |
| Depends on vulnerable versions of watchify | |
| node_modules/karma-browserify | |
| watchpack-chokidar2 * | |
| Depends on vulnerable versions of chokidar | |
| node_modules/watchpack-chokidar2 | |
| watchpack 1.7.2 - 1.7.5 | |
| Depends on vulnerable versions of watchpack-chokidar2 | |
| node_modules/watchpack | |
| webpack 4.44.0 - 4.46.0 | |
| Depends on vulnerable versions of watchpack | |
| node_modules/webpack | |
| got <11.8.5 | |
| Severity: moderate | |
| Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 | |
| fix available via `npm audit fix` | |
| node_modules/swarm-js/node_modules/got | |
| node_modules/web3-bzz/node_modules/got | |
| swarm-js 0.1.1 - 0.1.17 || >=0.1.35 | |
| Depends on vulnerable versions of got | |
| node_modules/swarm-js | |
| web3-bzz * | |
| Depends on vulnerable versions of got | |
| Depends on vulnerable versions of swarm-js | |
| node_modules/web3-bzz | |
| web3 1.0.0-beta.1 - 1.7.4 || 2.0.0-alpha - 3.0.0-rc.0 | |
| Depends on vulnerable versions of web3-bzz | |
| node_modules/web3 | |
| parse-path <5.0.0 | |
| Severity: high | |
| Authorization Bypass in parse-path - https://github.com/advisories/GHSA-3j8f-xvm3-ffx4 | |
| fix available via `npm audit fix --force` | |
| Will install lerna@5.4.1, which is a breaking change | |
| node_modules/parse-path | |
| parse-url 3.0.0 - 6.0.5 | |
| Depends on vulnerable versions of parse-path | |
| node_modules/parse-url | |
| git-up 2.1.0 - 5.0.0 | |
| Depends on vulnerable versions of parse-url | |
| node_modules/git-up | |
| git-url-parse 11.0.0 - 11.6.0 | |
| Depends on vulnerable versions of git-up | |
| node_modules/git-url-parse | |
| @lerna/github-client <=5.1.7 | |
| Depends on vulnerable versions of git-url-parse | |
| node_modules/@lerna/github-client | |
| @lerna/version 3.11.0 - 5.1.7 | |
| Depends on vulnerable versions of @lerna/github-client | |
| node_modules/@lerna/version | |
| @lerna/publish 3.11.0 - 5.1.7 | |
| Depends on vulnerable versions of @lerna/version | |
| node_modules/@lerna/publish | |
| lerna 3.11.0 - 5.1.7 | |
| Depends on vulnerable versions of @lerna/publish | |
| Depends on vulnerable versions of @lerna/version | |
| node_modules/lerna | |
| terser <4.8.1 | |
| Severity: high | |
| Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc | |
| fix available via `npm audit fix` | |
| node_modules/terser | |
| y18n 4.0.0 | |
| Severity: high | |
| Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh | |
| fix available via `npm audit fix` | |
| node_modules/ganache-cli/node_modules/y18n | |
| yargs-parser <=5.0.0 | |
| Severity: moderate | |
| yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp | |
| No fix available | |
| node_modules/solc/node_modules/yargs-parser | |
| yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 | |
| Depends on vulnerable versions of yargs-parser | |
| node_modules/solc/node_modules/yargs | |
| solc 0.3.6 - 0.4.26 | |
| Depends on vulnerable versions of yargs | |
| node_modules/solc | |
| @ensdomains/ens * | |
| Depends on vulnerable versions of solc | |
| node_modules/@ensdomains/ens | |
| 27 vulnerabilities (9 moderate, 18 high) | |
| To address issues that do not require attention, run: | |
| npm audit fix | |
| To address all issues possible (including breaking changes), run: | |
| npm audit fix --force | |
| Some issues need review, and may require choosing | |
| a different dependency. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment