chore(vulnerability): update vulnerabilities list for the new web3 issue #5150
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5150 +/- ##
==========================================
- Coverage 85.70% 85.70% -0.01%
==========================================
Files 730 730
Lines 29861 29861
Branches 5156 5156
==========================================
- Hits 25593 25592 -1
- Misses 4033 4034 +1
Partials 235 235 see 1 file with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
satish-ravi
reviewed
Mar 25, 2024
There was a problem hiding this comment.
Thanks for doing this. I was also reading about this, and it seems like the version we use (1.10.4), doesn't even have these methods? https://github.com/web3/web3.js/tree/v1.10.4/packages/web3-utils/src I don't see a format or mergeDeep
satish-ravi
approved these changes
Mar 25, 2024
shottah
pushed a commit
to zed-io/kolektivo
that referenced
this pull request
May 15, 2024
…sue (valora-inc#5150) ### Description GHSA-87qp-7cw8-8q9c ~The most susceptible environments for this attack are Web servers, application servers, and web browsers so I think we are relatively safe in the wallet. Nevertheless this gives us another incentive to remove more old wallet code~ ~New vulnerability with web3 utils. Our only use of web3 is with contractkit and we are 3 major versions behind. I created this placeholder project for removing all `@celo` dependencies and have linked this PR there.~ It appears that we are on such an old version of the code that these utils don't exist yet 😅 . @satish-ravi and I could find no object manipulation helpers in the version we use of web3. The security vulnerability likely is mislabeled and should have a lower bound on the affected versions. ### Related issues https://linear.app/valora/project/remove-all-celo-dependencies-in-favor-of-viem-a7e601818b8e/ENG
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
GHSA-87qp-7cw8-8q9c
The most susceptible environments for this attack are Web servers, application servers, and web browsers so I think we are relatively safe in the wallet. Nevertheless this gives us another incentive to remove more old wallet codeNew vulnerability with web3 utils. Our only use of web3 is with contractkit and we are 3 major versions behind. I created this placeholder project for removing all@celodependencies and have linked this PR there.It appears that we are on such an old version of the code that these utils don't exist yet 😅 . @satish-ravi and I could find no object manipulation helpers in the version we use of web3. The security vulnerability likely is mislabeled and should have a lower bound on the affected versions.
Related issues
https://linear.app/valora/project/remove-all-celo-dependencies-in-favor-of-viem-a7e601818b8e/ENG