[Snyk-dev] Fix for 16 vulnerabilities

[lili2311]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/protocol/package.json
  • packages/protocol/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	534/1000 Why? Has a fix available, CVSS 6.4	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (Add alliance member names under logo celo-org/celo-monorepo#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons (Attestations Service: Support Nexmo applications celo-org/celo-monorepo#4912)
• 41567df Support prefers-color-scheme: dark ([ Attestation Service] Fix Twilio callback auth when behind proxies. Bump version to 1.0.3. celo-org/celo-monorepo#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (celocli account:register-metadata fails in 0.0.55 celo-org/celo-monorepo#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill ([Web] Accurately calculate attestation score celo-org/celo-monorepo#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions ([contractkit] Metadata URLs that return 301 are not handled celo-org/celo-monorepo#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (Confirm your phone number is asked and “Matching can be done only once” error is shown when the user taps on the “Connect” button from “Connect contacts” while signing with a verified phone number.  celo-org/celo-monorepo#4878)
• 2b98521 docs: replace 'git.io' short links (Send Amount screen is shown instead of “Sending” screen after scanning QR code from “Please confirm your contact’s account” screen celo-org/celo-monorepo#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix (Nothing happens when user tapping on “submit” button on confirm your contacts account page when user get back from send page  celo-org/celo-monorepo#4876)
• f6695f0 chore(esm): remove code for Node v12 (Add fetch polyfill celo-org/celo-monorepo#4874)
• 59f6192 chore(ci): conditionally skip 'push' event ([Wallet] Reorganize and add e2e tests celo-org/celo-monorepo#4872)
• b863359 docs: fix 'fgrep' url ([docs] Single list of ReleaseGold deployments celo-org/celo-monorepo#4873)
• baaa41a chore(ci): ignore changes to docs files ([web] Typescript and Timelines celo-org/celo-monorepo#4871)
• ac81cc5 refactor!: drop support of 'growl' notification (Handle large numbers better on Enter Amount Screen celo-org/celo-monorepo#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (Improve celo cli installation time celo-org/celo-monorepo#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (Update Celo reference to the App Name in CELO Education celo-org/celo-monorepo#4863)
• b7b849b refactor!: remove deprecated Runner signature (adds tests for missing timestamp, fix log error celo-org/celo-monorepo#4861)
• 0608fa3 chore(site): fix supporters' download ([Wallet] Make the dismiss Gold Education button work celo-org/celo-monorepo#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (fix ODIS errs caused by missing timestamp celo-org/celo-monorepo#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' ([cli] Remove abstract release-gold command celo-org/celo-monorepo#4856)

See the full diff

Package name: solidity-bytes-utils

The new version differs by 18 commits.

• e93b867 Add deleted set of memory variables accidentally deleted with the last PR to master
• fa2792e Revert version constraints back to `^0.5.0` in order to enhance compatibility
• 425edac Merge branch 'master' into develop
• 7727420 Change truffle config file to always use the right compielr version
• 87e1c28 Add eth lint ([Snyk-dev] Security upgrade web3 from 1.0.0-beta.37 to 4.0.1 #30)
• 1b55da7 Revert "Publish to GitHub package manager"
• 0cfd42f Publish to GitHub package manager
• 8f91f5d Merge branch 'master' into develop
• e3d1f68 Fix for new truffle version breaking Codeship CI
• 8183d09 Merge branch 'master' into develop
• 5f91a80 Hotfix for correct EPM deployment
• 0061b62 v0.0.8 - Additional uint typecasting methods ([Snyk-dev] Security upgrade web3 from 1.0.0-beta.37 to 4.0.1 #28)
• cd17878 Bump version to 0.0.8
• 541c524 Update dependencies
• de03428 Merge branch 'master' into develop
• db88c30 Fix README with correct example of import from NPM
• 658e88b Implement toUintXX for 64, 96 and 128 bits ([Snyk] Security upgrade web3 from 1.0.0-beta.37 to 4.0.1 #25)
• 14ca2bd v0.0.7 - Upgrade to Solidity v0.5.0 ([Snyk-dev] Security upgrade web3 from 1.0.0-beta.37 to 4.0.1 #22)

See the full diff

Package name: truffle

The new version differs by 250 commits.

• 94dda0c Publish
• 2c68fb1 Merge pull request Pixel Phones are unable to attach logs celo-org/celo-monorepo#5730 from trufflesuite/subCMDHelp
• 28f3d26 fix TypeError: Cannot read properties of undefined (reading 'subCommand')
• ee9165c Merge pull request contracts migrations should work with v1 celo-org/celo-monorepo#5727 from trufflesuite/thanksify
• 281c938 Update Sourcify networks
• 3950dca Merge pull request Add new gpg key celo-org/celo-monorepo#5717 from trufflesuite/revert-5359-db-jest-resolver
• f17aa05 Revert "Internal improvements: Custom jest resolver for db"
• b9087b5 Merge pull request User must supply absolute path in governance:propose cmd celo-org/celo-monorepo#5713 from trufflesuite/dependabot/npm_and_yarn/loader-utils-1.4.2
• 4095a68 Bump loader-utils from 1.4.1 to 1.4.2
• 31cc6eb dashboard: Decode requests (ODIS Client Update celo-org/celo-monorepo#5621)
• eb8a3a6 Merge pull request Add CUSD transfer to MTW celo-org/celo-monorepo#5709 from trufflesuite/bump-mocha
• 6af18fa Merge pull request User is able to take a screenshot & be able to save the user's account key when the user taps on ‘Account key’ from Hamburger Menu. celo-org/celo-monorepo#5707 from trufflesuite/dependabot/npm_and_yarn/loader-utils-1.4.2
• cee41e5 Merge pull request Add Blockscout API deployment celo-org/celo-monorepo#5710 from trufflesuite/sweep-up
• 8db49f7 Publish
• 76acaa0 Merge pull request [Wallet] Add Japan to restricted CP-DOTO countries celo-org/celo-monorepo#5708 from trufflesuite/picky-dash-event-handlers
• 9ab12a8 get rid of unnecessary gitHead property from package.jsons
• b186513 bump mocha to 10.1.0
• 58f42bd events: Early return dashboard event handlers if network isn't dashboard
• 81dd430 Bump loader-utils from 1.4.1 to 1.4.2
• f3d1c7a Merge pull request [Wallet] Retry if geth fails to init because of no internet celo-org/celo-monorepo#5700 from trufflesuite/trim-it
• 4e8df7b Merge pull request Test that uniswap scripts properly generate a merkle tree based on the rewards data  celo-org/celo-monorepo#5646 from trufflesuite/add-compilations-simple
• 360fc65 Add test that overlapping id array has correct length
• d7715e8 Return all overlapping IDs in error
• b756ba2 Factor out repeat compilation check and put it in encoder

See the full diff

Package name: twilio

The new version differs by 9 commits.

• ccbb504 Release 4.0.0
• 32a9a06 [Librarian] Regenerated @ a72b955e51d75514f3c944c81b9db17278cfad69
• 3e712b0 fix: remove Flex shortcuts for removed APIs (Add VM BASED param to fix faucet and invite celo-org/celo-monorepo#902)
• 21ad190 docs: update link to exceptions example for 4.x release (RuntimeException: Unable to instantiate receiver com.androidbroadcastreceiverforreferrer.ReferrerBroadcastReceiver:... celo-org/celo-monorepo#901)
• 449f5b2 docs: use long property descriptions if available (Users SBAT differentiate Celo gold and dollar transactions celo-org/celo-monorepo#899)
• 8da34f6 docs: add relevant Refer/Say/ssml links to upgrade guide; formatting (Users SBAT return to reclaim review screen after fee education celo-org/celo-monorepo#895)
• 3c68014 fix: use break() for method names rather than break_() (Users SBAT choose between system auth or pincode celo-org/celo-monorepo#897)
• 6dff2f9 chore: readd ts tests to test rule (Users SBAT vote for new validator groups with the CLI celo-org/celo-monorepo#888)
• b471067 feat!: Merge branch '4.0.0-rc' to main ([wallet] improve local currency exchange rate polling celo-org/celo-monorepo#883)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn