fix(deps): update dependency web3 to v1 #1186
Security Report
❌ New vulnerabilities:
| CVE | Severity |  CVSS Score |
Vulnerable Library | Suggested Fix | Issue | Reachability |
|---|---|---|---|---|---|---|
CVE-2024-48949Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-shh-1.5.3.tgz -> web3-core-method-1.5.3.tgz -> transactions-5.7.0.tgz -> signing-key-5.7.0.tgz -> ❌ elliptic-6.5.4.tgz (Vulnerable Library) |
 Critical |
9.1 | elliptic-6.5.4.tgz | Upgrade to version: elliptic - 6.5.6 | None | |
CVE-2024-42461Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-shh-1.5.3.tgz -> web3-core-method-1.5.3.tgz -> transactions-5.7.0.tgz -> signing-key-5.7.0.tgz -> ❌ elliptic-6.5.4.tgz (Vulnerable Library) |
Critical |
9.1 | elliptic-6.5.4.tgz | None | ||
CVE-2024-37890Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/ws/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/ws/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-bzz-1.5.3.tgz -> swarm-js-0.1.42.tgz -> eth-lib-0.1.29.tgz -> ❌ ws-3.3.3.tgz (Vulnerable Library) |
 High |
7.5 | ws-3.3.3.tgz | Upgrade to version: ws - 5.2.4,6.2.3,7.5.10,8.17.1 | None | |
CVE-2024-21907Path to vulnerable library: /nuget/spec/fixtures/packages_configs/packages/Newtonsoft.Json.8.0.3/lib/net20/Newtonsoft.Json.dll Dependency Hierarchy: -> ❌ Newtonsoft.Json-8.0.3.19514.dll (Vulnerable Library) |
High |
7.5 | Newtonsoft.Json-8.0.3.19514.dll | Upgrade to version: Newtonsoft.Json - 13.0.1 | #1182 | |
CVE-2024-21907Path to vulnerable library: /nuget/spec/fixtures/packages_configs/packages/Newtonsoft.Json.8.0.3/lib/net40/Newtonsoft.Json.dll Dependency Hierarchy: -> ❌ Newtonsoft.Json-8.0.3.19514.dll (Vulnerable Library) |
High |
7.5 | Newtonsoft.Json-8.0.3.19514.dll | Upgrade to version: Newtonsoft.Json - 13.0.1 | #1182 | |
CVE-2024-21907Path to vulnerable library: /nuget/spec/fixtures/packages_configs/packages/Newtonsoft.Json.8.0.3/lib/net45/Newtonsoft.Json.dll Dependency Hierarchy: -> ❌ Newtonsoft.Json-8.0.3.19514.dll (Vulnerable Library) |
High |
7.5 | Newtonsoft.Json-8.0.3.19514.dll | Upgrade to version: Newtonsoft.Json - 13.0.1 | #1182 | |
CVE-2024-21907Path to vulnerable library: /nuget/spec/fixtures/packages_configs/packages/Newtonsoft.Json.8.0.3/lib/net35/Newtonsoft.Json.dll Dependency Hierarchy: -> ❌ Newtonsoft.Json-8.0.3.19514.dll (Vulnerable Library) |
High |
7.5 | Newtonsoft.Json-8.0.3.19514.dll | Upgrade to version: Newtonsoft.Json - 13.0.1 | #1182 | |
CVE-2024-21907Path to vulnerable library: /nuget/spec/fixtures/packages_configs/packages/Newtonsoft.Json.8.0.3/lib/portable-net40+sl5+wp80+win8+wpa81/Newtonsoft.Json.dll Dependency Hierarchy: -> ❌ Newtonsoft.Json-8.0.3.19514.dll (Vulnerable Library) |
High |
7.5 | Newtonsoft.Json-8.0.3.19514.dll | Upgrade to version: Newtonsoft.Json - 13.0.1 | #1182 | |
CVE-2024-21505Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/web3-utils/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/web3-utils/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> ❌ web3-utils-1.5.3.tgz (Vulnerable Library) |
High |
7.5 | web3-utils-1.5.3.tgz | Upgrade to version: web3-utils - 4.2.1 | None | |
CVE-2024-28863Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/tar/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/tar/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-bzz-1.5.3.tgz -> swarm-js-0.1.42.tgz -> ❌ tar-4.4.19.tgz (Vulnerable Library) |
 Medium |
6.5 | tar-4.4.19.tgz | Upgrade to version: tar - 6.2.1 | None | |
CVE-2024-42460Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-shh-1.5.3.tgz -> web3-core-method-1.5.3.tgz -> transactions-5.7.0.tgz -> signing-key-5.7.0.tgz -> ❌ elliptic-6.5.4.tgz (Vulnerable Library) |
Medium |
5.3 | elliptic-6.5.4.tgz | Upgrade to version: elliptic - 6.5.7 | None | |
CVE-2024-42459Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/@ethersproject/signing-key/node_modules/elliptic/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-shh-1.5.3.tgz -> web3-core-method-1.5.3.tgz -> transactions-5.7.0.tgz -> signing-key-5.7.0.tgz -> ❌ elliptic-6.5.4.tgz (Vulnerable Library) |
Medium |
5.3 | elliptic-6.5.4.tgz | Upgrade to version: elliptic - 6.5.7 | None | |
CVE-2022-33987Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/package.json Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/git_sub_dep_invalid_from/node_modules/got/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/git_sub_dep_invalid_from/node_modules/got/package.json Dependency Hierarchy: -> web3-1.5.3.tgz (Root Library) -> web3-bzz-1.5.3.tgz -> ❌ got-9.6.0.tgz (Vulnerable Library) |
Medium |
5.3 | got-9.6.0.tgz | Upgrade to version: got - 11.8.5,12.1.0 | None |
✔️ Remediated vulnerabilities:
| CVE | Vulnerable Library |
|---|---|
| CVE-2023-46233 | crypto-js-3.1.8.tgz |
| CVE-2021-32740 | addressable-2.7.0.gem |
| WS-2019-0075 | web3-0.18.4.tgz |
| WS-2019-0097 | web3-0.18.4.tgz |
| CVE-2020-36732 | crypto-js-3.1.8.tgz |
Base branch total remaining vulnerabilities: 445
Base branch commit: ba8cd9078c8ce0cb202767d627706711237abf71
Total libraries scanned: 2529
Scan token: 8177c85bc1c3480c87c9866b2a855ced