[Snyk] Fix for 5 vulnerabilities #46

KK68HK · 2024-10-22T05:52:11Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- src/chains/filecoin/filecoin/package.json
- src/chains/filecoin/filecoin/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
776/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.1	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	No	Proof of Concept
776/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.1	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	No	Proof of Concept
776/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.1	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	No	Proof of Concept
701/1000 Why? Recently disclosed, Has a fix available, CVSS 8.3	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	No	No Known Exploit
828/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.7	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ipfs

The new version differs by 250 commits.

bf1bc8b chore: release master (#4364)
7b79c1b fix: add deprecation notice to readmes (feat: add --flavor feature (ganache chain plugins) trufflesuite/ganache#4362)
410725b chore: disable dependabot.yml (get help trufflesuite/ganache#4363)
b64d4af docs: update README.md (build(deps-dev): bump webpack from 5.65.0 to 5.76.0 in /src/chains/filecoin/options trufflesuite/ganache#4307)
3bcabe3 chore: fix link to ci results (Improve ganache interactive docs header so it says what it is in the header, not just the main body section trufflesuite/ganache#4299)
ab02e8f docs: update readmes to fix ci badges (System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache#4296)
c5e76b7 update-ipfs-http-client (Transaction simulation takes too long to return trufflesuite/ganache#4293)
6eeb1be deps(dev): update interop, ipfsd-ctl and kubo-rpc-client (interactive docs: backspacing at line 1 char 0 causes an issue with our export {/*magic*/};\n hack trufflesuite/ganache#4294)
6e94067 chore: release master (#4252)
d1c3abb deps: update libp2p to 0.42.x (#4288)
0cfcaf6 fix: allow reading rawLeaves in MFS (build(deps): bump dns-packet from 5.3.0 to 5.4.0 in /src/chains/filecoin/filecoin trufflesuite/ganache#4282)
fa578ba fix: disallow publishing pubsub messages to zero peers (Can ganache be used to run full privatenet? trufflesuite/ganache#4286)
789ee58 deps: update dag-jose to 4.0.0 (#4289)
4b4c124 deps: update ipfs-utils for node 18 compatibility (fix: use adjusted time on estimate gas when latest block is being used trufflesuite/ganache#4287)
5f73eca chore: do not double-build interface tests
1916ca8 chore: interface tests should run after build
115a405 fix: fix publish step
6d90cbf fix: use aegir to publish RCs (v7.7.6 trufflesuite/ganache#4284)
2a6fede fix: update lerna config for rc publishing (build(deps): bump minimist from 1.2.5 to 1.2.8 in /src/packages/core trufflesuite/ganache#4283)
e85e5b6 deps: update @ chainsafe/libp2p-gossipsub to 6.0.0 (build(deps): bump minimist from 1.2.5 to 1.2.8 in /src/chains/ethereum/ethereum trufflesuite/ganache#4280)
563806f fix: restore lerna for preleases (build(deps): bump minimist and mkdirp in /src/chains/filecoin/filecoin trufflesuite/ganache#4281)
521c84a fix!: update multiformats to v11.x.x and related depenendcies (build(deps): bump minimist from 1.2.5 to 1.2.8 in /src/chains/ethereum/transaction trufflesuite/ganache#4277)
6be5906 fix: mfs blob import for files larger than 262144b (Connecting MetaMask to remote detached Ganache CLI trufflesuite/ganache#4251)
b722041 docs: DisableNatPortMap should be true to disable port mapping (#4244)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

…filecoin/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-7577916 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-7577917 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-7577918 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8172694 - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303

changeset-bot · 2024-10-22T05:52:14Z

⚠️ No Changeset found

Latest commit: 7971377

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

socket-security · 2024-10-22T05:53:00Z

Report too large to display inline

View full report↗︎

socket-security · 2024-10-22T05:53:01Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Possible typosquat attack	npm/[email protected]	Did you mean: its-buffer	`src/chains/filecoin/filecoin/package-lock.json`	⚠︎

View full report↗︎

Next steps

What is a typosquat?

Package name is similar to other popular packages and may not be the package you want.

Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/[email protected]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 5 vulnerabilities #46

[Snyk] Fix for 5 vulnerabilities #46

KK68HK commented Oct 22, 2024

changeset-bot bot commented Oct 22, 2024

socket-security bot commented Oct 22, 2024

socket-security bot commented Oct 22, 2024

[Snyk] Fix for 5 vulnerabilities #46

Are you sure you want to change the base?

[Snyk] Fix for 5 vulnerabilities #46

Conversation

KK68HK commented Oct 22, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

changeset-bot bot commented Oct 22, 2024

⚠️ No Changeset found

socket-security bot commented Oct 22, 2024

socket-security bot commented Oct 22, 2024

Next steps