New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade eth-sig-util from 2.5.0 to 3.0.1 #35

Open

kumavis wants to merge 1 commit into master from snyk-fix-b596b47c8330c066802b07f4ed69fdbc

Member

kumavis commented Feb 3, 2024

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- trials/wallet/package.json
- trials/wallet/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eth-sig-util

The new version differs by 40 commits.

8c6112f v3.0.1 (#129)
fc66710 Add changelog (#128)
980d9be Update minimum `tweetnacl` to latest version (#123)
3d96bb1 Standardize TypeScript and lint configuration (#111)
58559ac Migrate from deprecated `sha3` method to `keccak` (#118)
a655842 Remove unused dependencies (#117)
c7e7bac Switch from `smokestack` to `airtap` (#115)
e63bccd Remove `utils/eccrypto-lite` (#116)
99d4762 Bump ethereumjs-abi (#96)
4f0b3e1 3.0.0 (#108)
9f281f0 Add CODEOWNERS file (#103)
42c2133 Use bl@4.0.3 (#102)
440a015 Bump elliptic from 6.5.2 to 6.5.3 (#101)
39c70b3 Bump lodash from 4.17.15 to 4.17.19 (#99)
5e738a8 Update minimist and node-uuid (#98)
ce46a36 Remove outdated docs from README (#97)
217dd83 Use typescript@3.9.2 (#95)
ad73314 Add LICENSE file (#94)
5571f24 Update README.md (#93)
3725c46 Update package.json script entries to use Yarn (#92)
7c0ba6a Use typescript@3.8.3 (#91)
4db1e3d Add recoverTypedSignature_V4 docs (#90)
07fadb3 ci - test against multiple node versions (#89)
11bfc03 Update mkdirp and minimist (#87)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cryptographic Issues


          fix: trials/wallet/package.json & trials/wallet/package-lock.json to …

50a002c

…reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-511941
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment