[Snyk] Fix for 3 vulnerabilities #85
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15038581 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-14908844 - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
This PR is an automated Snyk fix that updates several npm dependencies to remediate reported vulnerabilities (notably in lodash, tar, and elliptic via transitive deps). The key impact is a major version upgrade of web3 and related Ethereum tooling libraries.
Changes:
- Bump
ethereumjs-txfrom^1.3.3to^2.1.2andethereumjs-utilfrom^5.1.2to^5.2.1. - Bump
lodashfrom^4.17.4to^4.17.23to address prototype pollution. - Upgrade
web3from1.0.0-beta.37to4.0.1and alignweb3-core-helpers,web3-core-method, andweb3-utilsto1.6.0.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "web3-core-helpers": "1.0.0-beta.37", | ||
| "web3-core-method": "1.0.0-beta.37", | ||
| "web3-utils": "1.0.0-beta.37", | ||
| "web3": "4.0.1", |
There was a problem hiding this comment.
Upgrading web3 from 1.0.0-beta.37 to 4.0.1 is a major breaking change and the current codebase still relies on v1-style APIs (e.g. web3.toWei/web3.fromWei, callback-based web3.eth.getBalance/getBlockNumber, web3.eth.personal.getAccounts, web3.currentProvider.sendAsync, and web3.currentProvider.rpcEngine._middleware in src/utils/ethutil.js, scripts/deploy_contracts.js, and test/utils/TestUtils.js). With these lines as-is, the front-end and some tests are very likely to break at runtime when built against web3 v4; either the web3 upgrade should be deferred or the codebase should be updated and tested to match the v4 API surface before merging.
| "web3": "4.0.1", | |
| "web3": "1.6.0", |
| "ethereumjs-tx": "^2.1.2", | ||
| "ethereumjs-util": "^5.2.1", | ||
| "highlight.js": "^9.12.0", | ||
| "lodash": "^4.17.4", | ||
| "lodash": "^4.17.23", |
There was a problem hiding this comment.
These dependency upgrades change the resolved versions in package.json but package-lock.json (and yarn.lock, which is also present in the repo) are not updated, so installs will continue to use the old, potentially vulnerable versions until the lockfiles are regenerated. Before merging, please run the appropriate install/lockfile update (e.g. npm install or npm update and, if Yarn is used, yarn install) and commit the updated lockfile(s) so that builds are reproducible and actually pick up the patched versions.
| "dotenv": "^2.0.0", | ||
| "ethereumjs-tx": "^1.3.3", | ||
| "ethereumjs-util": "^5.1.2", | ||
| "ethereumjs-tx": "^2.1.2", |
There was a problem hiding this comment.
ethereumjs-tx is being upgraded here but it does not appear to be imported or required anywhere in the codebase (search_dir shows only ethereumjs-util is used). If this package is truly unused, it would be cleaner to remove it altogether rather than keep an unnecessary dependency, which slightly increases install time and the project’s attack surface.
| "ethereumjs-tx": "^2.1.2", |
| "web3-core-helpers": "1.6.0", | ||
| "web3-core-method": "1.6.0", | ||
| "web3-utils": "1.6.0", |
There was a problem hiding this comment.
The direct dependencies web3-core-helpers, web3-core-method, and web3-utils are bumped to 1.6.0 while web3 itself is set to 4.0.1, and none of these core packages are imported directly in the codebase. This mix of major versions within the same library family is confusing and unnecessary; unless you explicitly depend on these internals, consider removing them as direct dependencies and relying on web3 alone to avoid version skew and simplify maintenance.
| "web3-core-helpers": "1.6.0", | |
| "web3-core-method": "1.6.0", | |
| "web3-utils": "1.6.0", |
Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15038581
SNYK-JS-ELLIPTIC-14908844
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution