[Snyk] Upgrade @alch/alchemy-web3 from 1.1.12 to 1.4.7

[Dustin4444]

Snyk has created this PR to upgrade @alch/alchemy-web3 from 1.1.12 to 1.4.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 17 versions ahead of your current version.

• The recommended version was released 3 years ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	345	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	345	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	345	No Known Exploit
	Insufficient Visual Distinction of Homoglyphs Presented to User SNYK-JS-BASEX-10118294	345	No Known Exploit
	Function Call With Incorrect Argument Type SNYK-JS-CIPHERBASE-12084814	345	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	345	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	345	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	345	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	345	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	345	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	345	Proof of Concept
	Information Exposure SNYK-JS-ELLIPTIC-8720086	345	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	345	Proof of Concept
	Improper Validation of Integrity Check Value SNYK-JS-SECP256K1-8237220	345	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	345	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	345	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	345	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	345	Proof of Concept
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495496	345	Proof of Concept
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495498	345	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	345	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	345	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	345	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	345	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	345	No Known Exploit
	Function Call With Incorrect Argument Type SNYK-JS-SHAJS-12089400	345	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	345	Proof of Concept

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[gemini-code-assist]

Summary of Changes

Hello @Dustin4444, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's security by upgrading the @alch/alchemy-web3 dependency to a much newer version. This update is crucial for mitigating a wide array of identified vulnerabilities, ranging from critical to low severity, thereby safeguarding the application against potential exploits and ensuring a more secure and stable operational environment.

Highlights

• Dependency Upgrade: The @alch/alchemy-web3 package has been upgraded from version 1.1.12 to 1.4.7.
• Security Fixes: This upgrade resolves a total of 26 security vulnerabilities, including 9 critical, 7 high, 8 medium, and 2 low severity issues, significantly improving the overall security posture of the project.
• Version Gap: The new version 1.4.7 is 17 versions ahead of the previous 1.1.12 and was released approximately three years ago, indicating a substantial update.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-upgrade-c7570c781196b4870ec7a87723f91d18

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request, generated by Snyk, correctly upgrades @alch/alchemy-web3 from version 1.1.12 to 1.4.7, addressing several security vulnerabilities. While this is a necessary and positive change, it's important to note that the @alch/alchemy-web3 package is deprecated and in maintenance mode. The official recommendation from Alchemy is to migrate to the newer alchemy-sdk. Continuing to use a deprecated package introduces risks, as it will not receive new features and may not get timely security updates in the future. I recommend merging this PR to resolve the immediate security concerns, but a follow-up task should be created to plan the migration to alchemy-sdk to ensure the project's long-term health and maintainability.

[gemini-code-assist]

While this upgrade to version 1.4.7 is important for patching security vulnerabilities, it's crucial to be aware that the @alch/alchemy-web3 package is deprecated. The official recommendation from Alchemy is to migrate to the alchemy-sdk package. Using a deprecated library is a significant technical debt and poses a long-term maintenance risk. It's advisable to create a follow-up ticket to plan this migration.