Nothing Special   »   [go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency web3 [security] #376

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor
@renovate renovate bot commented Mar 29, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
web3 1.8.1 -> 1.8.2 age adoption passing confidence
web3 1.3.6 -> 1.5.3 age adoption passing confidence

Insecure Credential Storage in web3

GHSA-27v7-qhfv-rqq8

More information

Details

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

ChainSafe/web3.js (web3)

v1.8.2

Compare Source

Changed
  • Updated Webpack 4 to Webpack 5, more details at (#​5629)
  • crypto-browserify module is now used only in webpack builds for polyfilling browsers (#​5629)
  • Updated ethereumjs-util to 7.1.5 (#​5629)
  • Updated lerna 4 to version 6 (#​5680)
  • Bump utils 0.12.0 to 0.12.5 (#​5691)
Fixed
  • Fixed types for web3.utils._jsonInterfaceMethodToString (#​5550)
  • Fixed Next.js builds failing on Node.js v16, Abortcontroller added if it doesn't exist globally (#​5601)
  • Builds fixed by updating all typescript versions to 4.1 (#​5675)
Removed
  • clean-webpack-plugin has been removed from dev-dependencies (#​5629)
Added
  • https-browserify, process, stream-browserify, stream-http, crypto-browserify added to dev-dependencies for polyfilling (#​5629)
  • Add readable-stream to dev-dependancies for webpack (#​5629)
Security
  • npm audit fix for libraries update (#​5726)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
vercel bot commented Mar 29, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
react-celo ❌ Failed (Inspect) Oct 10, 2024 2:29am

Copy link
socket-security bot commented Mar 29, 2024

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/web3@1.5.3 Transitive: environment, eval, filesystem, network, shell, unsafe +158 23.2 MB spacesailor

View full report↗︎

Copy link
socket-security bot commented Mar 29, 2024

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

@renovate renovate bot changed the title chore(deps): update dependency web3 to v1.10.4 [security] chore(deps): update dependency web3 to v1.10.4 [security] - autoclosed Apr 18, 2024
@renovate renovate bot closed this Apr 18, 2024
@renovate renovate bot deleted the renovate/npm-web3-vulnerability branch April 18, 2024 18:05
@renovate renovate bot changed the title chore(deps): update dependency web3 to v1.10.4 [security] - autoclosed chore(deps): update dependency web3 to v1.10.4 [security] Apr 19, 2024
@renovate renovate bot restored the renovate/npm-web3-vulnerability branch April 19, 2024 06:52
@renovate renovate bot reopened this Apr 19, 2024
@renovate renovate bot force-pushed the renovate/npm-web3-vulnerability branch from c6a1e90 to a6d3f6a Compare April 19, 2024 06:52
@renovate renovate bot force-pushed the renovate/npm-web3-vulnerability branch from a6d3f6a to 4b7bc62 Compare June 7, 2024 05:36
@renovate renovate bot force-pushed the renovate/npm-web3-vulnerability branch from 4b7bc62 to 8edf13e Compare June 18, 2024 20:57
@renovate renovate bot changed the title chore(deps): update dependency web3 to v1.10.4 [security] chore(deps): update dependency web3 [security] Jun 18, 2024
@renovate renovate bot force-pushed the renovate/npm-web3-vulnerability branch from 8edf13e to b9f36e1 Compare July 23, 2024 23:43
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants