Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should truffle be moved into dev-dependencies? #51

Closed
Artazor opened this issue Jun 27, 2018 · 1 comment
Closed

Should truffle be moved into dev-dependencies? #51

Artazor opened this issue Jun 27, 2018 · 1 comment
Assignees
@0xjac
Labels
bug inprogress

Comments

@Artazor
Copy link

Artazor commented Jun 27, 2018

Current truffle that is referenced in dependencies has vulnerabilites:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.10.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ erc777                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ erc777 > truffle > mocha > growl                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ erc777                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ erc777 > truffle > mocha > debug                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

This leads to false positives while auditing projects which are using erc777 as dependency in npm even if their own truffle is updated.
0xjac pushed a commit that referenced this issue Jul 17, 2018
Update to solidity 0.4.24, truffle as dev dep
e2f50b8 
- truffle is now a dev dependency
- vulnerabilities from npm audit have been removed
- closes #51
0xjac pushed a commit that referenced this issue Jul 17, 2018
Update to solidity 0.4.24, truffle as dev dep
49df19d 
- truffle is now a dev dependency
- vulnerabilities from npm audit have been removed
- closes #51
- use node 10.6.0 on ci
0xjac pushed a commit that referenced this issue Jul 24, 2018
Update to solidity 0.4.24, truffle as dev dep
3f5c7e0 
- truffle is now a dev dependency
- vulnerabilities from npm audit have been removed
- closes #51
- use node 10.6.0 on ci
@0xjac
Copy link
Owner

0xjac commented Aug 3, 2018

@Artazor you're right, good catch. I am cleaning up the repo and updating the reference implementation to reflect the changes of the standard and I'll add the truffle dependency.

@0xjac 0xjac self-assigned this Aug 3, 2018
0xjac pushed a commit that referenced this issue Nov 4, 2018
Update to solidity 0.4.24, truffle as dev dep
b7e5a6c 
- truffle is now a dev dependency
- vulnerabilities from npm audit have been removed
- closes #51
- use node 10.6.0 on ci
0xjac pushed a commit that referenced this issue Nov 4, 2018
Update to solidity 0.4.24, truffle as dev dep
884ed16 
- truffle is now a dev dependency
- vulnerabilities from npm audit have been removed
- closes #51
- use node 10.6.0 on ci
@0xjac 0xjac closed this as completed in 5a33e2d Nov 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xjac 0xjac

Labels
bug inprogress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Artazor @0xjac