Update dependency web3 to v1.5.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
web3	1.3.6 -> 1.5.3

---

Insecure Credential Storage in web3

GHSA-27v7-qhfv-rqq8

More information

Details

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Severity

• CVSS Score: 3.3 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/ethereum/web3.js/issues/2739
• https://github.com/ethereum/web3.js
• https://snyk.io/vuln/SNYK-JS-WEB3-174533
• https://www.npmjs.com/advisories/877

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ChainSafe/web3.js (web3)

v1.5.3

Compare Source

Fixed

• Unable to send legacy transaction if network supported EIP-1559 (#​4277)
• Fixed bug in sending transaction with providers not support "newBlockHeaders" event (#​3891)

Changed

• ethers from 5.1.4 to 5.4.4 (#​4231)
• karma from 5.2.3 to 6.3.4 (#​4231)
• lerna from 3.22.1 to 4.0.0 (#​4231)
• Dropped build tests in CI for Node v8 and v10, and added support for Node v14 (#​4231)
• Change default value for maxPriorityFeePerGas from 1 Gwei to 2.5 Gwei (#​4284)
• Fixed bug in signTransaction (#​4295)

v1.5.2

Compare Source

Fixed

• Remove transaction type defaulting for eth.sendTransaction, eth.sendRawTransaction (#​4241)
• type: 0x0 was being added to legacy transaction when using eth.signTransaction (#​4241)

v1.5.1

Compare Source

Added

• maxPriorityFeePerGas and maxFeePerGas now included in _txInputFormatter (#​4217)
• If maxPriorityFeePerGas of maxFeePerGas present _txInputFormatter deletes tx.gasPrice (fixes #​4211) (#​4217)
• Add block tag support (e.g. latest, pending, earliest) to getFeeHistory (#​4224)
• Support for EIP-1559 to web3.eth.sendTransaction (#​4220)

v1.5.0

Compare Source

Added

• London transaction support (#​4155)
• RPC support eth_feehistory call (#​4191)
• Add toNumber method to web3.utils (#​4191)

Changed

• Grammar fix (#​4088) and updated Swarm (#​4151)and Whisper doc links (#​4170)
• Removed deprecation notice for HttpProvider (#​4008)
• Nonce added to send options in documentation and types (#​4052)
• Updated Solidity example to modern syntax (#​4147)
• Changing web3 connection example from lets to const (#​3967)
• Updated the documentation for the transaction object to include EIP-2718 and EIP-1559 options (#​4188)

v1.4.0

Compare Source

Added

• Berlin Transaction Support (#​4083)
• When signing a transaction, common object now defaults to berlin instead of petersburg

Changed

• Changed Geth Docker verision from stable to 1.10.3 in e2e.geth.instamine.sh and scripts/e2e.geth.automine.sh (#​4154)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub ↗︎

👍 No dependency changes detected in pull request

[openzeppelin-code]

Update dependency web3 to v1.5.3 [SECURITY]

Generated at commit: e8d30e91dc73c0a4a6f8180c01547e6c81847409

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	2 3 0 8 27 40
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[soloseng]

This is blocked by #76 due to node version incompatibilities.