deps: Bump ethereumjs and metamask packages #453

legobeat · 2023-10-13T04:41:14Z

No description provided.

socket-security · 2023-10-13T04:42:14Z

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@metamask/eth-json-rpc-middleware	12.0.0	network	`+25`	5.27 MB	metamaskbot
@metamask/eth-json-rpc-infura	9.0.0	None	`+19`	4.7 MB	gudahtt
@ethereumjs/statemanager	1.1.0	network, environment	`+46`	22.6 MB	holgerd77
@metamask/eth-sig-util	7.0.0	None	`+17`	4.87 MB	metamaskbot
@ethereumjs/vm	6.5.0	network, environment	`+70`	34.1 MB	holgerd77
@ethereumjs/block	4.3.0	None	`+14`	4.75 MB	holgerd77
@ethereumjs/util	8.1.0	None	`+9`	3.66 MB	holgerd77
@metamask/rpc-errors	6.1.0	None	`+16`	4.62 MB	metamaskbot
@ethereumjs/tx	3.3.0...4.2.0	None	`+11/-9`	4.23 MB	holgerd77
eth-block-tracker	5.0.1...8.1.0	None	`+20/-2`	4.73 MB	lgbot

🚮 Removed packages: eth-json-rpc-filters@4.2.1, eth-json-rpc-infura@5.1.0, eth-json-rpc-middleware@6.0.0, eth-rpc-errors@3.0.0

socket-security · 2023-10-13T04:42:18Z

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: @metamask/safe-event-emitter@3.0.0, eth-block-tracker@8.1.0, bech32@1.1.4, @metamask/eth-json-rpc-middleware@12.0.0, ethers@5.7.2, mcl-wasm@0.7.9, @ethereumjs/rlp@4.0.1, rlp@2.2.6, rlp@2.2.7

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

legobeat · 2023-10-13T04:46:14Z

@SocketSecurity ignore @ethereumjs/rlp@4.0.1
@SocketSecurity ignore rlp@2.2.6
@SocketSecurity ignore rlp@2.2.7

bin script confusion ok (nb: the rlp@2.2.6 duplication is not actually present)

legobeat · 2023-10-13T04:47:39Z

@SocketSecurity ignore @metamask/safe-event-emitter@3.0.0
@SocketSecurity ignore eth-block-tracker@8.1.0
@SocketSecurity ignore bech32@1.1.4

new author ok

legobeat · 2023-10-13T04:48:01Z

@SocketSecurity ignore @metamask/eth-json-rpc-middleware@12.0.0
@SocketSecurity ignore ethers@5.7.2
@SocketSecurity ignore mcl-wasm@0.7.9

network access ok

kumavis · 2023-10-17T06:32:12Z

subproviders/vm.js

-  var vm = self.vm = createVm(self.engine, blockNumber, {
-    enableHomestead: true
+  const vm = self.vm = new VM({
+    stateManager: new EthersStateManager({


legobeat marked this pull request as ready for review October 13, 2023 04:48

legobeat requested a review from a team as a code owner October 13, 2023 04:48

legobeat added the dependencies Pull requests that update a dependency file label Oct 13, 2023

legobeat added 7 commits October 13, 2023 14:58

deps: @MetaMask package updates

b433d39

deps: eth-sig-util@^1.4.2 -> @metamask/eth-sig-util@^7.0.0

b90b77c

deps: @ethereumjs/tx@^3.3.0->^4.2.0

169a877

deps: ethereumjs-vm@^4.2.0 -> @ethereumjs/vm@^6.5.0

5dc2f45

deps: ethereumjs-block@^2.2.2 -> @ethereumjs/block@^4.3.0

27e6b49

deps: ethereumjs-util@^7.1.5 -> @ethereumjs/util@^8.1.0

25653c8

allow user override signTypedMessage version param

ccb2e36

legobeat force-pushed the deps-eth-json-rpc branch from 32c84c7 to ccb2e36 Compare October 13, 2023 05:58

legobeat requested review from kumavis, rekmarks, a team and naugtur October 13, 2023 06:30

kumavis reviewed Oct 17, 2023

View reviewed changes

kumavis approved these changes Oct 17, 2023

View reviewed changes

legobeat merged commit 7e28f6d into MetaMask:main Oct 18, 2023
5 checks passed

This was referenced Oct 18, 2023

babelify dependencies #454

Merged

devDeps(test): replace ethereumjs-util with @ethereumjs/util,ethereum-cryptography #457

Merged

legobeat mentioned this pull request Apr 18, 2024

[v16] bump ethereum-related dependencies #477

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps: Bump ethereumjs and metamask packages #453

deps: Bump ethereumjs and metamask packages #453

legobeat commented Oct 13, 2023

socket-security bot commented Oct 13, 2023

socket-security bot commented Oct 13, 2023 •

edited

Loading

legobeat commented Oct 13, 2023

legobeat commented Oct 13, 2023

legobeat commented Oct 13, 2023

kumavis Oct 17, 2023

deps: Bump ethereumjs and metamask packages #453

deps: Bump ethereumjs and metamask packages #453

Conversation

legobeat commented Oct 13, 2023

socket-security bot commented Oct 13, 2023

socket-security bot commented Oct 13, 2023 • edited Loading

Next steps

legobeat commented Oct 13, 2023

legobeat commented Oct 13, 2023

legobeat commented Oct 13, 2023

kumavis Oct 17, 2023

Choose a reason for hiding this comment

socket-security bot commented Oct 13, 2023 •

edited

Loading