[Snyk] Fix for 16 vulnerabilities

[awaisab172]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ipld-zcash

The new version differs by 7 commits.

• c4c53d0 chore: update contributors
• d0faa55 chore: update Changlelog proactively
• ffda2b8 chore: update dependencies
• 22bc170 feat: switch to zcash-block for decoding
• 6a3869d fix(package): update multihashing-async to version 0.8.0
• 8c41e88 chore(package): update aegir to version 20.0.0
• e37e373 chore(package): update aegir to version 19.0.3

See the full diff

Package name: libp2p

The new version differs by 208 commits.

• 5299995 chore: release version v0.28.0
• 64a66f0 chore: update contributors
• e2a63ba chore: release version v0.28.0-rc.0
• 294b032 chore: update contributors
• 72f37ac fix: always emit when a connection is made
• 52a615f fix: expose the muxed stream interface on inbound streams
• 698c1df feat: support dial only on transport manager to tolerate errors (aegir@9.2.0 breaks build 🚨 ipfs/js-ipfs#643)
• 7f4662f chore: fix api formatting (Feature: PubSub 🌟 ipfs/js-ipfs#644)
• 84b935f feat: metadata book (docs: remove old ARCHITECTURE.md ipfs/js-ipfs#638)
• 0fbb597 docs: update examples to 0.28.x api (feat/awesome dag-pb ipfs/js-ipfs#625)
• 56316b8 docs: migration 0.27 to 0.28 (docs: update architecture overview and core architecture image, add more info to the readme ipfs/js-ipfs#637)
• aaa1155 chore: uncomment local peer public key after connect test
• aa5e232 chore: rewrite peer-store submit and retrieve docs (Update joi to version 10.0.0 🚀 ipfs/js-ipfs#605)
• eb7adcf docs: libp2p components options specified
• 0be74e6 chore: apply suggestions from code review
• 6065923 chore: integrate libp2p-keychain into js-libp2p (fix(cli): Tell user to init repo if not initialized when starting daemon ipfs/js-ipfs#633)
• 2b45fee fix: onConnect should not add addr to the addressBook
• 8bf5a70 chore: integrate libp2p-keychain into js-libp2p (fix(cli): Tell user to init repo if not initialized when starting daemon ipfs/js-ipfs#633)
• 6627278 chore: apply suggestions from code review
• 65e8746 chore: add keys to keybook on connection upgraded
• 7b8d016 chore: apply suggestions from code review
• ce38033 feat: keybook
• 3f2b06d chore: remove peer-info from package table
• 1e3d6f4 chore: apply suggestions from code review

See the full diff

Package name: libp2p-bootstrap

The new version differs by 26 commits.

• 189e2a7 chore: release version v0.11.0
• 3f992d5 chore: update contributors
• 01ce4ec Merge pull request move, update and clean the roadmap ipfs/js-ipfs#103 from libp2p/chore/peer-discovery-not-using-peer-info
• 3a9200e chore: use new libp2p-interfaces release
• b782934 chore: add tests for peer-discovery interface
• 8a99f1b chore: peer-discovery not using peer-info
• a87c1f7 chore(deps-dev): bump aegir from 20.6.1 to 21.2.0 (Update README.md ipfs/js-ipfs#102)
• a0d96c5 chore: release version v0.10.4
• cfa0718 chore: update contributors
• 29b8aa6 fix: remove use of assert module (Add object patch endpoints and cli commands ipfs/js-ipfs#99)
• d38edfb chore: release version v0.10.3
• a2a1f20 chore: update contributors
• 5041f28 fix: validate list (removes --force ipfs/js-ipfs#97)
• 83201ca chore: update deps ('ipfs init': CLI + tests ipfs/js-ipfs#96)
• 37ed296 chore: release version v0.10.2
• c247d30 chore: update contributors
• 5ad84ff Revert "fix: use callback in start from js-libp2p (Small issues getting up and running with js-ipfs ipfs/js-ipfs#93)"
• c2d9ae9 chore: release version v0.10.1
• 59b46ff chore: update contributors
• 74c305d fix: use callback in start from js-libp2p (Small issues getting up and running with js-ipfs ipfs/js-ipfs#93)
• 8f90e44 chore: remove commitlint (tests use random ports for gateways now ipfs/js-ipfs#94)
• c050a26 chore: release version v0.10.0
• cd646df chore: update contributors
• 77cfc28 refactor: callbacks -> async/await (test: Teamcity report for karma ipfs/js-ipfs#89)

See the full diff

Package name: libp2p-delegated-content-routing

The new version differs by 13 commits.

• dff4cbd chore: release version v0.4.3
• 4d166ab chore: update contributors
• d36b085 chore: update ipfs-http-client dep ([Snyk] Security upgrade react-scripts from 3.1.1 to 4.0.0 #23)
• f672b84 docs: document required API endpoints ([Snyk] Security upgrade react-scripts from 3.1.1 to 4.0.0 #21)
• ad91771 chore: release version v0.4.2
• 8e532ea chore: update contributors
• 7af6f74 chore: use it-all ([Snyk] Security upgrade libp2p from 0.26.2 to 0.30.3 #20)
• 6ff0e64 chore: release version v0.4.1
• 3868dce chore: update contributors
• b2690c7 fix: async it refs ([Snyk] Security upgrade libp2p from 0.26.2 to 0.30.3 #19)
• 31b26bc chore: release version v0.4.0
• 524e11f chore: update contributors
• 22ff40c chore: rename timeout option ([Snyk] Fix for 1 vulnerabilities #18)

See the full diff

Package name: libp2p-delegated-peer-routing

The new version differs by 7 commits.

• 00296ba chore: release version v0.4.1
• ee2128e chore: update contributors
• afbc877 chore: update ipfs-http-client dep ([Snyk] Fix for 1 vulnerabilities #17)
• 949c0c0 docs: document required API endpoint ([Snyk] Fix for 1 vulnerabilities #15)
• 9a46c6b chore: release version v0.4.0
• 1510fde chore: update contributors
• 36d852f chore: rename timeout option ([Snyk] Security upgrade libp2p-webrtc-star from 0.16.1 to 0.20.4 #14)

See the full diff

Package name: libp2p-gossipsub

The new version differs by 62 commits.

• aafe59a chore: release version v0.4.0
• c1bd368 chore: update contributors
• 1970522 Merge pull request [Snyk] Fix for 1 vulnerabilities #70 from ChainSafe/chore/remove-peer-info-usage
• 5177489 Merge branch 'master' into chore/remove-peer-info-usage
• cf62125 chore: release version v0.3.0
• 83095cb chore: update contributors
• 7aa669c Merge pull request [Snyk] Security upgrade libp2p from 0.26.2 to 0.27.0 #71 from hugomrdias/fix/add-buffer
• d8e9d1b fix: add buffer and update deps
• 602ccaa chore: remove peer-info usage
• f2b67a2 chore: release version v0.2.6
• 5a2ee18 chore: update contributors
• ed214f1 Merge pull request [Snyk] Fix for 1 vulnerabilities #69 from ChainSafe/docs/specify-spec-version-implemented
• 4b133b1 Merge pull request [Snyk] Security upgrade ipfs-repo from 0.26.6 to 0.27.0 #66 from ChainSafe/mpetrunic/type-definitions
• beb3c90 docs: specify spec version implemented
• 7c6f65b chore: release version v0.2.5
• 9102b0d chore: update contributors
• 9b7af11 Merge pull request [Snyk] Security upgrade ipld-zcash from 0.3.0 to 0.5.2 #67 from ChainSafe/tuyen/message-id-function
• d8fa6aa Document 'messageCache' option
• 4033b8b Address comments
• f174b5a Update README.md
• c7459e7 Add method comment
• d20b42f Provide a way to override message id function
• 7e17f12 add typescript definitions
• 97515f7 chore: release version v0.2.4

See the full diff

Package name: libp2p-kad-dht

The new version differs by 45 commits.

• 42eb5eb chore: release version v0.19.0
• 0ed345a chore: update contributors
• 568c19c chore: use new content and peer routing apis (ipfs-repo@0.7.5 breaks build ⚠️ ipfs/js-ipfs#181)
• 129566f chore: update interface links (Update snazzy to version 4.0.0 🚀 ipfs/js-ipfs#182)
• a00b470 chore: release version v0.19.0-pre.0
• 12d0872 chore: use libp2p 0.28.x branch
• f0fb212 chore: peer-discovery not using peer-info (ipfs-repo@0.7.4 breaks build ⚠️ ipfs/js-ipfs#180)
• b9e45ff chore: release version v0.19.0-pre.0
• 67a2db7 chore: update contributors
• 194c701 chore: use new peer store api (ipfs-repo@0.7.3 breaks build ⚠️ ipfs/js-ipfs#179)
• 6456cc8 chore: release version v0.18.6
• 8d31075 chore: update contributors
• fe3b218 chore(deps): bump cids from 0.7.5 to 0.8.0 (ipfs-block-service@0.2.8 breaks build ⚠️ ipfs/js-ipfs#178)
• 7b8d115 chore(deps): bump p-map from 3.0.0 to 4.0.0 (ipfs-block@0.2.2 breaks build ⚠️ ipfs/js-ipfs#177)
• 764ba63 chore(deps-dev): bump sinon from 8.1.1 to 9.0.0 (ipfs-block@0.2.1 breaks build ⚠️ ipfs/js-ipfs#176)
• 5ee91d7 chore(deps-dev): bump aegir from 20.6.1 to 21.0.2 (ipfs-repo@0.7.2 breaks build ⚠️ ipfs/js-ipfs#175)
• 698fc51 chore: release version v0.18.5
• 636d4c2 chore: update contributors
• de85eb6 fix: remove use of assert module (ipfs-merkle-dag@0.4.3 breaks build 🚨 ipfs/js-ipfs#173)
• 7b99370 chore: release version v0.18.4
• c5721d0 chore: update contributors
• 3731a2e chore(deps): bump libp2p-interfaces from 0.1.7 to 0.2.3 (libp2p-ipfs@0.3.4 breaks build 🚨 ipfs/js-ipfs#171)
• 49f8e46 chore(deps-dev): bump datastore-level from 0.12.1 to 0.14.1 (Update ipfs-repo to version 0.7.0 🚀 ipfs/js-ipfs#169)
• 6b7dcbf chore(deps-dev): bump sinon from 7.5.0 to 8.1.1 (ipfs-merkle-dag@0.4.1 breaks build 🚨 ipfs/js-ipfs#168)

See the full diff

Package name: libp2p-mdns

The new version differs by 16 commits.

• 5b46aaa chore: release version v0.14.0
• bcf3e44 chore: update contributors
• fca175e chore: peer-discovery not using peer-info (Pick random ports on tests ipfs/js-ipfs#90)
• ecdda6e chore: release version v0.13.3
• 28c0ae1 chore: update contributors
• cf180e1 chore(deps-dev): bump aegir from 20.6.1 to 21.0.2
• e362b04 fix: remove use of assert module (jsipfs swarm ipfs/js-ipfs#87)
• bea3dd1 chore: release version v0.13.2
• 0d2c1a1 chore: update contributors
• 084ee53 chore: remove unused dep async (upgrades peer-id to 0.6.0 ipfs/js-ipfs#86)
• a9661bd chore: release version v0.13.1
• a02a6d2 chore: update contributors
• a88483c fix: do not emit empty peer info objects (Add object endpoints and cli commands ipfs/js-ipfs#85)
• de2c897 chore: release version v0.13.0
• 8a5cced chore: update contributors
• 46d78eb refactor: callbacks -> async / await ([Snyk] Security upgrade react-scripts from 3.1.1 to 5.0.0 #78)

See the full diff

Package name: libp2p-secio

The new version differs by 8 commits.

• b3a7040 chore: release version v0.12.1
• f1e79ce chore: update contributors
• b22152a chore: clean up published package (Shared Core API (standardise across js-ipfs and js-ipfs-api) ipfs/js-ipfs#110)
• aea41de chore: release version v0.12.0
• c081ea5 chore: update contributors
• 8ad4c15 refactor: use async await (Fixed issues with some required modules ipfs/js-ipfs#108)
• 774267f docs(fix): readme typo (feat: pin ipfs/js-ipfs#107)
• 1329e9c chore: add discourse badge (Update all dependencies 🌴 ipfs/js-ipfs#105)

See the full diff

Package name: libp2p-webrtc-star

The new version differs by 60 commits.

• c07ac28 chore: release version v0.18.5
• 8a02859 chore: update contributors
• f09d007 chore: use ipfs utils for webrc support (daemon leaves behind api file lock on error ipfs/js-ipfs#229)
• 79059da chore(deps-dev): bump aegir from 22.1.0 to 23.0.0 (WIP http cat ipfs/js-ipfs#227)
• f89449a chore: release version v0.18.4
• 130da90 chore: update contributors
• 74e9059 fix: do not signal if channel destroyed (chore(package): update ipfs-api to version 4.0.3 ipfs/js-ipfs#226)
• dc9bfa6 fix: add error handler for incoming connections (aegir@3.0.4 breaks build ⚠️ ipfs/js-ipfs#224)
• 50dd42d chore: make the docker image much smaller. (aegir@3.0.3 breaks build ⚠️ ipfs/js-ipfs#223)
• 7fc8a8b chore(deps-dev): bump aegir from 21.10.2 to 22.0.0 (Update ipfs-api to version 4.0.1 🚀 ipfs/js-ipfs#221)
• bb781a3 chore: release version v0.18.3
• 7357362 chore: update contributors
• fe14c96 chore: release version v0.18.2
• d571fd0 chore: update contributors
• 830507d chore: update aegir (Update ipfs-api to version 4.0.0 🚀 ipfs/js-ipfs#220)
• 4ed25a5 chore: release version v0.18.1
• e07abd6 chore: update contributors
• 0eb097e fix: add buffer (lodash.set@4.2.0 breaks build ⚠️ ipfs/js-ipfs#217)
• 9149058 chore: release version v0.18.0
• f2b3ac1 chore: update contributors
• ab4aafe chore: peer-discovery not using peer-info (Only log addresses that are actually being listened on ipfs/js-ipfs#213)
• 74be193 chore: release version v0.17.9
• 6f17307 chore: update contributors
• 08282dd feat: support dash case parameters (Update peer-book to version 0.1.1 🚀 ipfs/js-ipfs#211)

See the full diff

Package name: libp2p-websockets

The new version differs by 4 commits.

• b5496fb chore: release version v0.13.0
• b0ffbb2 chore: update contributors
• fcb6bcc test: fix skips (util module for repo setup/teardown ipfs/js-ipfs#95)
• ce7bf4f refactor: async with multiaddr conn (track: jsipfs swarm ipfs/js-ipfs#92)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cryptographic Issues
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn