[Snyk] Fix for 5 vulnerabilities #44

KK68HK · 2024-10-20T05:45:53Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- src/chains/filecoin/filecoin/package.json
- src/chains/filecoin/filecoin/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
776/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.1	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	No	Proof of Concept
776/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.1	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	No	Proof of Concept
776/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.1	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	No	Proof of Concept
701/1000 Why? Recently disclosed, Has a fix available, CVSS 8.3	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	No	No Known Exploit
828/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.7	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ipfs

The new version differs by 250 commits.

bf1bc8b chore: release master (#4364)
7b79c1b fix: add deprecation notice to readmes (feat: add --flavor feature (ganache chain plugins) trufflesuite/ganache#4362)
410725b chore: disable dependabot.yml (get help trufflesuite/ganache#4363)
b64d4af docs: update README.md (build(deps-dev): bump webpack from 5.65.0 to 5.76.0 in /src/chains/filecoin/options trufflesuite/ganache#4307)
3bcabe3 chore: fix link to ci results (Improve ganache interactive docs header so it says what it is in the header, not just the main body section trufflesuite/ganache#4299)
ab02e8f docs: update readmes to fix ci badges (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache#4296)
c5e76b7 update-ipfs-http-client (Transaction simulation takes too long to return trufflesuite/ganache#4293)
6eeb1be deps(dev): update interop, ipfsd-ctl and kubo-rpc-client (interactive docs: backspacing at line 1 char 0 causes an issue with our export {/*magic*/};\n hack trufflesuite/ganache#4294)
6e94067 chore: release master (#4252)
d1c3abb deps: update libp2p to 0.42.x (#4288)
0cfcaf6 fix: allow reading rawLeaves in MFS (build(deps): bump dns-packet from 5.3.0 to 5.4.0 in /src/chains/filecoin/filecoin trufflesuite/ganache#4282)
fa578ba fix: disallow publishing pubsub messages to zero peers (Can ganache be used to run full privatenet? trufflesuite/ganache#4286)
789ee58 deps: update dag-jose to 4.0.0 (#4289)
4b4c124 deps: update ipfs-utils for node 18 compatibility (fix: use adjusted time on estimate gas when latest block is being used trufflesuite/ganache#4287)
5f73eca chore: do not double-build interface tests
1916ca8 chore: interface tests should run after build
115a405 fix: fix publish step
6d90cbf fix: use aegir to publish RCs (v7.7.6 trufflesuite/ganache#4284)
2a6fede fix: update lerna config for rc publishing (build(deps): bump minimist from 1.2.5 to 1.2.8 in /src/packages/core trufflesuite/ganache#4283)
e85e5b6 deps: update @ chainsafe/libp2p-gossipsub to 6.0.0 (build(deps): bump minimist from 1.2.5 to 1.2.8 in /src/chains/ethereum/ethereum trufflesuite/ganache#4280)
563806f fix: restore lerna for preleases (build(deps): bump minimist and mkdirp in /src/chains/filecoin/filecoin trufflesuite/ganache#4281)
521c84a fix!: update multiformats to v11.x.x and related depenendcies (build(deps): bump minimist from 1.2.5 to 1.2.8 in /src/chains/ethereum/transaction trufflesuite/ganache#4277)
6be5906 fix: mfs blob import for files larger than 262144b (Connecting MetaMask to remote detached Ganache CLI trufflesuite/ganache#4251)
b722041 docs: DisableNatPortMap should be true to disable port mapping (#4244)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

…filecoin/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-7577916 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-7577917 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-7577918 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8172694 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303

changeset-bot · 2024-10-20T05:45:56Z

⚠️ No Changeset found

Latest commit: ad355e4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

socket-security · 2024-10-20T05:46:44Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@achingbrain/ip-address@8.1.0	None	`0`	231 kB	achingbrain
npm/@achingbrain/nat-port-mapper@1.0.15	None	`+5`	489 kB	achingbrain
npm/@achingbrain/ssdp@4.0.6	None	`+1`	118 kB	achingbrain
npm/@assemblyscript/loader@0.9.4	None	`0`	33.1 kB	assemblyscript
npm/@chainsafe/is-ip@2.0.2	None	`0`	28.1 kB	wemeetagain
npm/@chainsafe/libp2p-gossipsub@6.3.0	Transitive: filesystem, network	`+7`	17.2 MB	wemeetagain
npm/@chainsafe/libp2p-noise@11.0.4	None	`0`	474 kB	mpetrunic
npm/@chainsafe/netmask@2.0.0	None	`0`	30.5 kB	mpetrunic
npm/@discoveryjs/json-ext@0.5.6	None	`0`	83.3 kB	lahmatiy
npm/@fastify/busboy@2.1.1	None	`0`	80.2 kB	gurgunday
npm/@filecoin-shipyard/lotus-client-provider-browser@0.0.14	None	`0`	17.9 kB	jimpick
npm/@filecoin-shipyard/lotus-client-rpc@0.2.0	None	`0`	67.4 kB	vascosantos
npm/@filecoin-shipyard/lotus-client-schema@2.0.0	None	`0`	208 kB	alanshaw
npm/@ganache/filecoin-options@0.8.0	None	`0`	942 kB	truffle-cicd
npm/@grpc/grpc-js@1.12.2	None	`0`	1.94 MB	murgatroid99
npm/@grpc/proto-loader@0.7.13	filesystem Transitive: environment	`+3`	573 kB	murgatroid99
npm/@hapi/accept@5.0.2	None	`0`	23.4 kB	devinivy
npm/@hapi/ammo@5.0.1	None	`0`	8.35 kB	hueniverse
npm/@hapi/b64@5.0.0	None	`0`	8.38 kB	hueniverse
npm/@hapi/boom@9.1.3	None	`0`	28.3 kB	devinivy
npm/@hapi/bounce@2.0.0	None	`0`	5.55 kB	hueniverse
npm/@hapi/bourne@2.0.0	None	`0`	5.1 kB	hueniverse
npm/@hapi/call@8.0.1	None	`0`	26.3 kB	cjihrig
npm/@hapi/catbox-memory@5.0.1	None	`0`	9.42 kB	devinivy
npm/@hapi/catbox@11.1.1	None	`0`	21.7 kB	cjihrig
npm/@hapi/content@5.0.2	None	`0`	7.31 kB	hueniverse
npm/@hapi/cryptiles@5.1.0	None	`0`	6.14 kB	hueniverse
npm/@hapi/file@2.0.0	None	`0`	2.88 kB	hueniverse
npm/@hapi/hapi@20.1.5	network	`0`	183 kB	devinivy
npm/@hapi/heavy@7.0.1	None	`0`	6.49 kB	cjihrig
npm/@hapi/hoek@9.2.0	None	`0`	51.1 kB	devinivy
npm/@hapi/iron@6.0.0	None	`0`	18.7 kB	hueniverse
npm/@hapi/mimos@6.0.0	None	`0`	10.1 kB	devinivy
npm/@hapi/nigel@4.0.2	None	`0`	7.25 kB	hueniverse
npm/@hapi/pez@5.0.3	None	`0`	12.9 kB	hueniverse
npm/@hapi/podium@4.1.3	None	`0`	24.4 kB	devinivy
npm/@hapi/shot@5.0.5	network	`0`	13 kB	devinivy
npm/@hapi/somever@3.0.1	None	`0`	16.5 kB	devinivy
npm/@hapi/statehood@7.0.3	None	`0`	17.5 kB	cjihrig
npm/@hapi/subtext@7.0.3	filesystem	`0`	14.7 kB	hueniverse
npm/@hapi/teamwork@5.1.0	None	`0`	108 kB	hueniverse
npm/@hapi/topo@5.1.0	None	`0`	10.7 kB	devinivy
npm/@hapi/validate@1.1.3	None	`0`	213 kB	devinivy
npm/@hapi/vise@4.0.0	None	`0`	5.75 kB	hueniverse
npm/@hapi/wreck@17.1.0	network	`0`	36.7 kB	wyatt
npm/@ipld/car@5.3.2	None	`0`	252 kB	npm-service-account-ipld
npm/@ipld/dag-cbor@9.2.1	None	`0`	47.2 kB	npm-service-account-ipld
npm/@ipld/dag-json@10.2.2	None	`0`	58.7 kB	npm-service-account-ipld
npm/@ipld/dag-pb@4.1.2	None	`0`	55.3 kB	npm-service-account-ipld
npm/@js-sdsl/ordered-map@4.4.2	None	`0`	400 kB	yaozilong
npm/@leichtgewicht/ip-codec@2.0.5	None	`0`	17.7 kB	leichtgewicht
npm/@libp2p/bootstrap@6.0.3	None	`+1`	155 kB	npm-service-account-libp2p
npm/@libp2p/crypto@1.0.17	None	`0`	484 kB	npm-service-account-libp2p
npm/@libp2p/delegated-content-routing@4.0.11	Transitive: environment	`+10`	576 kB	npm-service-account-libp2p
npm/@libp2p/delegated-peer-routing@4.0.14	None	`+1`	120 kB	npm-service-account-libp2p
npm/@libp2p/floodsub@6.0.3	None	`0`	380 kB	npm-service-account-libp2p
npm/@libp2p/interface-address-manager@2.0.5	None	`0`	9.88 kB	npm-service-account-libp2p
npm/@libp2p/interface-connection-encrypter@3.0.6	None	`0`	16.1 kB	npm-service-account-libp2p
npm/@libp2p/interface-connection-manager@1.5.0	None	`0`	14.8 kB	npm-service-account-libp2p
npm/@libp2p/interface-connection@5.1.1	None	`0`	34.8 kB	npm-service-account-libp2p
npm/@libp2p/interface@2.1.3	None	`0`	323 kB	npm-service-account-libp2p

🚮 Removed packages: npm/@babel/helpers@7.14.8, npm/@babel/parser@7.15.2, npm/@hutson/parse-repository-url@3.0.2, npm/@istanbuljs/nyc-config-typescript@1.0.2, npm/@lerna/add@4.0.0, npm/@lerna/bootstrap@4.0.0, npm/@lerna/changed@4.0.0, npm/@lerna/check-working-tree@4.0.0, npm/@lerna/child-process@4.0.0, npm/@lerna/clean@4.0.0, npm/@lerna/cli@4.0.0, npm/@lerna/collect-uncommitted@4.0.0, npm/@lerna/collect-updates@4.0.0, npm/@lerna/command@4.0.0, npm/@lerna/conventional-commits@4.0.0, npm/@lerna/create-symlink@4.0.0, npm/@lerna/create@4.0.0, npm/@lerna/describe-ref@4.0.0, npm/@lerna/diff@4.0.0, npm/@lerna/exec@4.0.0, npm/@lerna/filter-options@4.0.0, npm/@lerna/filter-packages@4.0.0, npm/@lerna/get-npm-exec-opts@4.0.0, npm/@lerna/get-packed@4.0.0, npm/@lerna/github-client@4.0.0, npm/@lerna/gitlab-client@4.0.0, npm/@lerna/global-options@4.0.0, npm/@lerna/has-npm-version@4.0.0, npm/@lerna/import@4.0.0, npm/@lerna/info@4.0.0, npm/@lerna/init@4.0.0, npm/@lerna/link@4.0.0, npm/@lerna/list@4.0.0, npm/@lerna/listable@4.0.0, npm/@lerna/log-packed@4.0.0, npm/@lerna/npm-conf@4.0.0, npm/@lerna/npm-dist-tag@4.0.0, npm/@lerna/npm-install@4.0.0, npm/@lerna/npm-publish@4.0.0, npm/@lerna/npm-run-script@4.0.0, npm/@lerna/otplease@4.0.0, npm/@lerna/output@4.0.0, npm/@lerna/pack-directory@4.0.0, npm/@lerna/package-graph@4.0.0, npm/@lerna/package@4.0.0, npm/@lerna/prerelease-id-from-version@4.0.0, npm/@lerna/profiler@4.0.0, npm/@lerna/project@4.0.0, npm/@lerna/prompt@4.0.0, npm/@lerna/publish@4.0.0, npm/@lerna/pulse-till-done@4.0.0, npm/@lerna/query-graph@4.0.0, npm/@lerna/resolve-symlink@4.0.0, npm/@lerna/rimraf-dir@4.0.0, npm/@lerna/run-lifecycle@4.0.0, npm/@lerna/run-topologically@4.0.0, npm/@lerna/run@4.0.0, npm/@lerna/symlink-binary@4.0.0, npm/@lerna/symlink-dependencies@4.0.0, npm/@lerna/timer@4.0.0, npm/@lerna/validation-error@4.0.0, npm/@lerna/version@4.0.0, npm/@lerna/write-log-file@4.0.0, npm/@nodelib/fs.scandir@2.1.5, npm/@nodelib/fs.stat@2.0.5, npm/@nodelib/fs.walk@1.2.8, npm/@npmcli/ci-detect@1.3.0, npm/@npmcli/git@2.1.0, npm/@npmcli/installed-package-contents@1.0.7, npm/@npmcli/move-file@1.1.2

View full report↗︎

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 5 vulnerabilities #44

[Snyk] Fix for 5 vulnerabilities #44

KK68HK commented Oct 20, 2024

changeset-bot bot commented Oct 20, 2024

socket-security bot commented Oct 20, 2024

[Snyk] Fix for 5 vulnerabilities #44

Are you sure you want to change the base?

[Snyk] Fix for 5 vulnerabilities #44

Conversation

KK68HK commented Oct 20, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

changeset-bot bot commented Oct 20, 2024

⚠️ No Changeset found

socket-security bot commented Oct 20, 2024