[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/instant/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/asset-swapper

The new version differs by 250 commits.

• 92e681f Publish
• 3f65dd6 Updated CHANGELOGS & MD docs
• 4425c31 chore: update packages ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #553)
• 9058839 WooFi Gas Estimates ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #551)
• 46a7a2e Revert "chore: Remove unused addresses in addresses.json [TKR-519] ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #548)"
• b35dccd Offboard Cream ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #546)
• 08e0c2e chore: Add checks for `addresses.json` [TKR-519] ([Snyk] Fix for 1 vulnerabilities #549)
• 8aa313a chore: Remove unused addresses in addresses.json [TKR-519] ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #548)
• 8e9699c Publish
• 939b708 Updated CHANGELOGS & MD docs
• 1617e3f Fix Polygon and Ganache FillQuoteTransformer addresses ([Snyk] Security upgrade @0x/mesh-rpc-client from 7.0.4-beta-0xv3 to 8.1.0 #547)
• e0d7057 Publish
• 01a6d93 Updated CHANGELOGS & MD docs
• 9b9f0b9 Move woofi tokens to constant.ts and run prettier ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #544)
• 0d0fef8 PR #
• 17adfbe changelogs
• 8059462 empty commit to run workflow
• 0dba5a5 lowercase addresses ([Snyk] Fix for 1 vulnerabilities #542)
• 4dae8de feat: add Foundry support to contracts/zero-ex ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #534)
• 0046bb2 Update WooFi sampler logicand addresses.json w/ new FQT's
• fe935f7 Use @ 0x/fast-abi instead of deprecated fast-abi ([Snyk] Security upgrade @0x/subproviders from 6.6.5 to 7.0.0 #540)
• 1b527ff Clean up Mirror and UST related stuff ([Snyk] Fix for 1 vulnerabilities #539)
• 9f5324d Publish
• 3647392 Updated CHANGELOGS & MD docs

See the full diff

Package name: @0x/subproviders

The new version differs by 53 commits.

• c33f74a Publish
• d0fe875 Updated CHANGELOGS & MD docs
• 06d1d34 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #93 from 0xProject/david/subproviders-8
• 8d21ec1 chore: update subproviders version to 8.0.0
• 1e26144 Merge pull request [Snyk] Security upgrade @0x/base-contract from 6.5.0 to 7.0.0 #91 from 0xProject/david/subproviders-clean
• bf9aaea chore: clean unused code from @ 0x/subproviders
• 8c79268 Publish
• d6e3f73 Updated CHANGELOGS & MD docs
• 8df4471 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #86 from 0xProject/feat/parse-imports-single-quotes
• 6f68b71 add ability to parse single quote imports
• 2ca3096 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #85 from 0xProject/dependabot/npm_and_yarn/json5-1.0.2
• 2d90e21 Bump json5 from 1.0.1 to 1.0.2
• 913ee4b Merge pull request [Snyk] Fix for 2 vulnerabilities #84 from 0xProject/dependabot/npm_and_yarn/decode-uri-component-0.2.2
• 03c2f93 Bump decode-uri-component from 0.2.0 to 0.2.2
• 2b6d538 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #76 from 0xProject/dependabot/npm_and_yarn/change-case-4.1.2
• 1650f30 Changed functions names
• 540286e Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #79 from 0xProject/dependabot/npm_and_yarn/depcheck-1.4.3
• 7696d3b Bump change-case from 3.1.0 to 4.1.2
• 1ee8ccf Bump depcheck from 0.6.11 to 1.4.3
• 5eb26b0 Merge pull request [Snyk] Fix for 2 vulnerabilities #77 from 0xProject/dependabot/npm_and_yarn/sinon-15.0.0
• b444777 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #73 from 0xProject/dependabot/github_actions/actions/setup-python-4
• 4cd16d3 Merge pull request [Snyk] Fix for 2 vulnerabilities #75 from 0xProject/dependabot/npm_and_yarn/loader-utils-1.4.2
• f91bf18 Bump actions/setup-python from 2 to 4
• cb2f8d5 Merge pull request [Snyk] Security upgrade @0x/base-contract from 6.5.0 to 7.0.0 #74 from 0xProject/dependabot/github_actions/actions/setup-node-3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Native code	@0x/fast-abi	0.0.5	Location: binding.gyp	packages/instant/package.json via @0x/asset-swapper@16.66.4
Install scripts	@0x/fast-abi	0.0.5	Install script: install Source: node-pre-gyp install --fallback-to-build=false || yarn build:rs:release	packages/instant/package.json via @0x/asset-swapper@16.66.4
Native code	usb	1.9.2	Location: binding.gyp	packages/instant/package.json via @0x/asset-swapper@16.66.4
Install scripts	msw	0.44.2	Install script: postinstall Source: node -e "try{require('./config/scripts/postinstall')}catch(e){}"	packages/instant/package.json via @0x/asset-swapper@16.66.4
Network access	msw	0.44.2	Module: globalThis["fetch"] Location: lib/iife/index.js	packages/instant/package.json via @0x/asset-swapper@16.66.4
Install scripts	@0x/neon-router	0.3.5	Install script: install Source: node-pre-gyp install --fallback-to-build	packages/instant/package.json via @0x/asset-swapper@16.66.4
Network access	https-proxy-agent	5.0.1	Module: tls Location: dist/agent.js	packages/instant/package.json via @0x/asset-swapper@16.66.4
Network access	ethers	5.7.2	Module: globalThis["fetch"] Location: dist/ethers.esm.js	packages/instant/package.json via @0x/assert@3.0.36, @0x/asset-swapper@16.66.4, @0x/subproviders@8.0.1, @0x/utils@5.6.4, @0x/web3-wrapper@7.6.5
Network access	graphql-request	3.7.0	Module: globalThis["fetch"] Location: dist/index.js	packages/instant/package.json via @0x/asset-swapper@16.66.4
Network access	@mswjs/interceptors	0.17.9	Module: https Location: lib/interceptors/ClientRequest/index.js	packages/instant/package.json via @0x/asset-swapper@16.66.4
Network access	express	4.18.2	Module: http-errors Location: lib/response.js	packages/instant/package.json via @0x/asset-swapper@16.66.4

Next steps

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @0x/fast-abi@0.0.5
• @SocketSecurity ignore msw@0.44.2
• @SocketSecurity ignore @0x/neon-router@0.3.5
• @SocketSecurity ignore usb@1.9.2
• @SocketSecurity ignore https-proxy-agent@5.0.1
• @SocketSecurity ignore ethers@5.7.2
• @SocketSecurity ignore graphql-request@3.7.0
• @SocketSecurity ignore @mswjs/interceptors@0.17.9
• @SocketSecurity ignore express@4.18.2

[socket-security]

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages		Version	New capabilities	Transitives1	Size	Publisher
@0x/asset-swapper	🆕	16.66.4	None	+170	137 MB	tobernguyen
typescript	🆕	3.9.10	None	+0	54.1 MB	typescript-bot

Footnotes

1. https://docs.socket.dev ↩