Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added 17 vulnerabilities #152

Open
JeffWScott opened this issue Nov 12, 2024 · 1 comment
Open

Added 17 vulnerabilities #152

JeffWScott opened this issue Nov 12, 2024 · 1 comment

Comments

@JeffWScott
Copy link

I went from "0 vulnerabilities" to "17 vulnerabilities (12 low, 5 high)" just by installing this package.

$ npm install helius-sdk
npm warn deprecated @irys/sdk@0.2.11: Arweave support is deprecated - We recommend migrating to the Irys datachain: https://migrate-to.irys.xyz/

added 260 packages, and audited 377 packages in 19s

88 packages are looking for funding
  run `npm fund` for details

17 vulnerabilities (12 low, 5 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
$ npm remove helius-sdk

removed 260 packages, and audited 117 packages in 2s

14 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
@FedeSobre
Copy link

FedeSobre commented Nov 30, 2024

Exactly the same issue here, 0 to 17 (12 low, 5 high).
Problems are with elliptic and ws.

elliptic  <=6.5.7
Elliptic's EDDSA missing signature length check - https://github.com/advisories/GHSA-f7q4-pwc6-w24p
Elliptic's ECDSA missing check for whether leading bit of r and s is zero - https://github.com/advisories/GHSA-977x-g7h5-7qgw
Elliptic allows BER-encoded signatures - https://github.com/advisories/GHSA-49q7-c7j4-3p7m
Elliptic's verify function omits uniqueness validation - https://github.com/advisories/GHSA-434g-2637-qmqr
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
fix available via `npm audit fix --force`
Will install helius-sdk@1.0.15, which is a breaking change
node_modules/elliptic
  @ethersproject/signing-key  <=5.7.0
  Depends on vulnerable versions of elliptic
  node_modules/@ethersproject/signing-key
    @ethersproject/hdnode  *
    Depends on vulnerable versions of @ethersproject/abstract-signer
    Depends on vulnerable versions of @ethersproject/signing-key
    Depends on vulnerable versions of @ethersproject/transactions
    Depends on vulnerable versions of @ethersproject/wordlists
    node_modules/@ethersproject/hdnode
      @ethersproject/json-wallets  *
      Depends on vulnerable versions of @ethersproject/abstract-signer
      Depends on vulnerable versions of @ethersproject/hdnode
      Depends on vulnerable versions of @ethersproject/transactions
      node_modules/@ethersproject/json-wallets
    @ethersproject/transactions  <=5.7.0
    Depends on vulnerable versions of @ethersproject/signing-key
    node_modules/@ethersproject/transactions
      @ethersproject/abstract-provider  *
      Depends on vulnerable versions of @ethersproject/transactions
      node_modules/@ethersproject/abstract-provider
        @ethersproject/abstract-signer  *
        Depends on vulnerable versions of @ethersproject/abstract-provider
        node_modules/@ethersproject/abstract-signer
          @ethersproject/hash  5.0.6 - 5.7.0
          Depends on vulnerable versions of @ethersproject/abstract-signer
          node_modules/@ethersproject/hash
            @ethersproject/abi  5.0.10 - 5.7.0
            Depends on vulnerable versions of @ethersproject/hash
            node_modules/@ethersproject/abi
              @ethersproject/contracts  *
              Depends on vulnerable versions of @ethersproject/abi
              Depends on vulnerable versions of @ethersproject/abstract-provider
              Depends on vulnerable versions of @ethersproject/abstract-signer
              Depends on vulnerable versions of @ethersproject/transactions
              node_modules/@ethersproject/contracts
            @ethersproject/providers  <=5.7.2
            Depends on vulnerable versions of @ethersproject/abstract-provider
            Depends on vulnerable versions of @ethersproject/abstract-signer
            Depends on vulnerable versions of @ethersproject/hash
            Depends on vulnerable versions of @ethersproject/transactions
            Depends on vulnerable versions of ws
            node_modules/@ethersproject/providers
              @irys/sdk  *
              Depends on vulnerable versions of @ethersproject/contracts
              Depends on vulnerable versions of @ethersproject/providers
              Depends on vulnerable versions of @ethersproject/wallet
              Depends on vulnerable versions of arbundles
              node_modules/@irys/sdk
                helius-sdk  >=1.0.16
                Depends on vulnerable versions of @irys/sdk
                node_modules/helius-sdk
              arbundles  >=0.9.3
              Depends on vulnerable versions of @ethersproject/hash
              Depends on vulnerable versions of @ethersproject/providers
              Depends on vulnerable versions of @ethersproject/signing-key
              Depends on vulnerable versions of @ethersproject/transactions
              Depends on vulnerable versions of @ethersproject/wallet
              node_modules/arbundles
            @ethersproject/wallet  <=5.7.0
            Depends on vulnerable versions of @ethersproject/abstract-provider
            Depends on vulnerable versions of @ethersproject/abstract-signer
            Depends on vulnerable versions of @ethersproject/hash
            Depends on vulnerable versions of @ethersproject/hdnode
            Depends on vulnerable versions of @ethersproject/json-wallets
            Depends on vulnerable versions of @ethersproject/signing-key
            Depends on vulnerable versions of @ethersproject/transactions
            Depends on vulnerable versions of @ethersproject/wordlists
            node_modules/@ethersproject/wallet
            @ethersproject/wordlists  5.0.8 - 5.7.0
            Depends on vulnerable versions of @ethersproject/hash
            node_modules/@ethersproject/wordlists

ws  7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install helius-sdk@1.0.15, which is a breaking change
node_modules/@ethersproject/providers/node_modules/ws

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants