Run npm audit checks before v5 rc.1 Releases

[holgerd77]

I just did a test npm audit run on the VM and there are still a lot of vulnerabilities pointed out. Minimally the ones marked as "High" should be fixed before the rc.1 releases - see also #907. One particular problem is the mcl-wasm dependency drawing in a lot of vulnerabilities by having the nyc package in the main dependencies, I've opened a PR on this over on the library: herumi/mcl-wasm#17

Apart from that, all libraries should be checked, likely starting with the ones with the fewest internal dependencies (Common) and then working up the dependency tree.

Some practical note: after some trials I came to the conclusion that this is best to be tested "from the outside", to get out of this monorepo hoisting structure as well as to avoid side effects with the package-lock.json being present in the repo for CI reasons but not (!) being distributed with the releases, so to do e.g.:

npm init
npm i @ethereumjs/common (installs the latest beta)
npm audit

...within a new directory.

Library TODO List

• @ethereumjs/common
• @ethereumjs/tx
• @ethereumjs/block
• @ethereumjs/ethash
• @ethereumjs/blockchain
• @ethereumjs/vm

Final PR date on this: Wednesday, November 18th (earlier welcome)

[rumkin]

Well I've checked this issue. This is the methodology:

Check the repo

1. Run git clone of the latest version of the code.
2. Install each package dependencies with npm i.
3. Run audit for production only dependencies with npm audit --production.
4. Run audit for all dependencies with npm audit.

Check NPM packages

1. Install all packages in new folders with empty package.json file inside.
2. Run npm audit.

Audit dependency

1. Check NPM package on dependency maintenance status.
2. Check repository on current progress:

• Is development active
• Was the vulnerability filed in issues.
• Is there PR with the fix.

3. Estimate fixability: fixed, fix in progress, won't be fixed.