Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

58 vulnerabilities in dependencies #5236

Open
4 tasks
javiermarcon opened this issue Feb 26, 2024 · 0 comments
Open
4 tasks

58 vulnerabilities in dependencies #5236

javiermarcon opened this issue Feb 26, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@javiermarcon
Copy link

Screenshot or description

There are 58 vulnerabilities in this package dependecies (8 low, 35 moderate, 14 high, 1 critical)

Tried to fix them but most of them have breaking changes.

$ npm audit fix
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-side-effect@1.2.0
npm WARN Found: react@17.0.2
npm WARN node_modules/react
npm WARN react@"^17.0.1" from the root project
npm WARN 28 more (@web3-react/core, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
npm WARN
npm WARN Conflicting peer dependency: react@16.14.0
npm WARN node_modules/react
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta

up to date, audited 2787 packages in 1m

313 packages are looking for funding
run npm fund for details

npm audit report

axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install axios@1.6.7, which is a breaking change
node_modules/@json-rpc-tools/provider/node_modules/axios
node_modules/axios
@json-rpc-tools/provider <=2.0.0-beta.1
Depends on vulnerable versions of axios
node_modules/@json-rpc-tools/provider
eip1193-provider >=1.0.0
Depends on vulnerable versions of @json-rpc-tools/provider
node_modules/eip1193-provider
@walletconnect/ethereum-provider <=2.4.3
Depends on vulnerable versions of eip1193-provider
node_modules/@walletconnect/ethereum-provider
@web3-react/walletconnect-connector >=6.2.6
Depends on vulnerable versions of @walletconnect/ethereum-provider
node_modules/@web3-react/walletconnect-connector

elliptic <=6.5.3
Severity: high
Elliptic Uses a Broken or Risky Cryptographic Algorithm - GHSA-r9p9-mrjm-926w
Signature Malleabillity in elliptic - GHSA-vh7m-p724-62c2
No fix available
node_modules/ghost-bitcore-lib/node_modules/elliptic
ghost-bitcore-lib
Depends on vulnerable versions of elliptic
Depends on vulnerable versions of lodash
node_modules/ghost-bitcore-lib

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install ava@6.1.1, which is a breaking change
node_modules/package-json/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
ava 0.1.0 - 4.0.0-rc.1
Depends on vulnerable versions of update-notifier
node_modules/ava

jpeg-js <=0.4.3
Severity: high
Infinite loop in jpeg-js - GHSA-xvf7-4v9q-58w6
Uncontrolled resource consumption in jpeg-js - GHSA-w7q9-p3jq-fmhm
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js
node_modules/resize-img/node_modules/jpeg-js
jimp <=0.3.5
Depends on vulnerable versions of jpeg-js
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of request
Depends on vulnerable versions of url-regex
node_modules/resize-img/node_modules/jimp
resize-img <=1.1.2
Depends on vulnerable versions of jimp
Depends on vulnerable versions of jpeg-js
node_modules/resize-img
to-ico >=1.1.0
Depends on vulnerable versions of resize-img
node_modules/to-ico
favicons 4.8.3 - 7.1.1
Depends on vulnerable versions of sharp
Depends on vulnerable versions of to-ico
Depends on vulnerable versions of xml2js
node_modules/favicons

json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install babel-plugin-module-resolver@5.0.0, which is a breaking change
node_modules/find-babel-config/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-plugin-module-resolver

libp2p <=0.38.0-fc2224a
Severity: high
libp2p DoS vulnerability from lack of resource management - GHSA-f44q-634c-jvwv
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of node-forge
Depends on vulnerable versions of peer-id
fix available via npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change
node_modules/libp2p

lodash <=4.17.20
Severity: high
Regular Expression Denial of Service (ReDoS) in lodash - GHSA-29mw-wpgm-hmr9
Command Injection in lodash - GHSA-35jh-r3h4-6jhm
fix available via npm audit fix
node_modules/ghost-bitcore-lib/node_modules/lodash

minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/resize-img/node_modules/mkdirp

node-fetch <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install puppeteer@22.3.0, which is a breaking change
node_modules/puppeteer/node_modules/node-fetch
puppeteer 10.0.0 - 13.1.1
Depends on vulnerable versions of node-fetch
node_modules/puppeteer

node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge util.setPath API - GHSA-wxgw-qj99-44c2
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in node-forge - GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge - GHSA-92xj-mqp7-vmcj
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
fix available via npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change
node_modules/libp2p-secio/node_modules/node-forge
node_modules/libp2p-secio/node_modules/peer-id/node_modules/node-forge
node_modules/node-forge
libp2p-crypto <=0.6.1 || 0.12.0 - 0.21.1
Depends on vulnerable versions of node-forge
node_modules/libp2p-crypto
node_modules/libp2p-interfaces/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id/node_modules/libp2p-crypto
node_modules/peer-id/node_modules/libp2p-crypto
libp2p-interfaces <=1.3.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of peer-id
node_modules/libp2p-interfaces
node_modules/libp2p-secio/node_modules/libp2p-interfaces
libp2p-gossipsub <=0.11.5
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-gossipsub
libp2p-kad-dht 0.6.3 - 0.27.0
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-kad-dht
libp2p-secio <=0.5.0 || >=0.9.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-secio
peer-id 0.7.0 || 0.10.5 - 0.15.4
Depends on vulnerable versions of libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id
node_modules/peer-id
libp2p-bootstrap <=0.13.0
Depends on vulnerable versions of peer-id
node_modules/libp2p-bootstrap
libp2p-webrtc-star 0.2.0 - 0.4.5 || 0.13.4 - 0.24.1
Depends on vulnerable versions of peer-id
node_modules/libp2p-webrtc-star

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install web3@4.5.0, which is a breaking change
node_modules/request
request-promise-cache *
Depends on vulnerable versions of request
node_modules/request-promise-cache
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
servify *
Depends on vulnerable versions of request
node_modules/servify
eth-lib 0.1.24 - 0.1.29
Depends on vulnerable versions of servify
node_modules/eth-lib
swarm-js >=0.1.36
Depends on vulnerable versions of eth-lib
node_modules/swarm-js
web3-bzz *
Depends on vulnerable versions of swarm-js
node_modules/web3-bzz
web3 1.0.0-beta.1 - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
@1inch/limit-order-protocol >=1.4.0
Depends on vulnerable versions of web3
node_modules/@1inch/limit-order-protocol
web3-provider-engine *
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of ethereumjs-vm
Depends on vulnerable versions of request
node_modules/web3-provider-engine
@walletconnect/web3-provider *
Depends on vulnerable versions of web3-provider-engine
node_modules/@walletconnect/web3-provider

semver >=7.0.0 <7.5.2 || <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/levelup/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
levelup 0.9.0 - 1.3.9
Depends on vulnerable versions of semver
node_modules/levelup
merkle-patricia-tree 0.1.22 - 2.3.2
Depends on vulnerable versions of levelup
node_modules/merkle-patricia-tree
ethereumjs-block >=0.0.3
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-block
node_modules/ethereumjs-vm/node_modules/ethereumjs-block
ethereumjs-vm >=0.1.1
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-vm
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
nodemon 2.0.19 - 2.0.22
Depends on vulnerable versions of simple-update-notifier
node_modules/nodemon

sharp <=0.32.5
Severity: high
sharp vulnerable to Command Injection in post-installation over build environment - GHSA-gp95-ppv5-3jc5
sharp vulnerability in libwebp dependency CVE-2023-4863 - GHSA-54xq-cgqr-rpm3
fix available via npm audit fix
node_modules/sharp

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via npm audit fix --force
Will install web3@4.5.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie

url-regex *
Severity: high
Regular expression denial of service in url-regex - GHSA-v4rh-8p82-6h5w
fix available via npm audit fix
node_modules/url-regex

xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - GHSA-776f-qx25-q3cc
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/xml2js

58 vulnerabilities (8 low, 35 moderate, 14 high, 1 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Steps to reproduce

nvm install 18
npm i

Environment

  • Domain: not set
  • Mainnet or Testnet: testnet
  • Browser: any
  • OS: Ubuntu 23.10

Your version

  • [ x] latest
  • not latest (please try to upgrade first)
  • not sure

Does this affect atomic swap flow?

  • [ x] yes
  • no

Are real funds at risk?

  • yes
  • [x ] no
@javiermarcon javiermarcon added the bug Something isn't working label Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@javiermarcon