[Snyk] Upgrade: bitcore-lib, bitcore-mnemonic, crypto-js, elliptic, ethereumjs-util, rlp, tweetnacl, tweetnacl-util #14

X-oss-byte · 2024-09-07T17:20:37Z

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

bitcore-lib
from 8.1.1 to 8.25.47 | 71 versions ahead of your current version | 2 years ago
on 2023-02-17
bitcore-mnemonic
from 8.1.1 to 8.25.47 | 71 versions ahead of your current version | 2 years ago
on 2023-02-17
crypto-js
from 3.1.8 to 3.3.0 | 4 versions ahead of your current version | 5 years ago
on 2020-02-12
elliptic
from 6.4.1 to 6.5.7 | 8 versions ahead of your current version | 25 days ago
on 2024-08-14
ethereumjs-util
from 6.1.0 to 6.2.1 | 2 versions ahead of your current version | 4 years ago
on 2020-07-16
rlp
from 2.2.3 to 2.2.7 | 4 versions ahead of your current version | 3 years ago
on 2021-10-06
tweetnacl
from 1.0.1 to 1.0.3 | 2 versions ahead of your current version | 5 years ago
on 2020-02-10
tweetnacl-util
from 0.15.0 to 0.15.1 | 1 version ahead of your current version | 5 years ago
on 2020-01-29

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Cryptographic Issues SNYK-JS-ELLIPTIC-571484	340	Proof of Concept
Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	340	No Known Exploit
Timing Attack SNYK-JS-ELLIPTIC-511941	340	No Known Exploit
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	340	Proof of Concept
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	340	Proof of Concept
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	340	Proof of Concept
Cryptographic Issues SNYK-JS-ELLIPTIC-571484	340	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-450202	340	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-608086	340	Proof of Concept
Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	340	No Known Exploit
Timing Attack SNYK-JS-ELLIPTIC-511941	340	No Known Exploit
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	340	Proof of Concept
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	340	Proof of Concept
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	340	Proof of Concept
Code Injection SNYK-JS-LODASH-1040724	340	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-567746	340	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-6139239	340	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	340	Proof of Concept

Release notes

Package name: bitcore-mnemonic

8.25.47 - 2023-02-17
8.25.46 - 2023-02-03
8.25.40 - 2022-10-11
8.25.38 - 2022-09-14
8.25.36 - 2022-08-02
8.25.35 - 2022-08-01
8.25.34 - 2022-07-28
8.25.31 - 2022-07-12
8.25.30 - 2022-06-07
8.25.28 - 2022-04-29
8.25.25 - 2021-12-06
8.25.10 - 2021-05-13
8.25.9 - 2021-05-11
8.25.8 - 2021-04-12
8.25.7 - 2021-03-05
8.25.4 - 2021-03-03
8.25.3 - 2021-03-01
8.25.2 - 2021-02-25
8.25.1 - 2021-02-25
8.25.0 - 2021-02-19
8.24.2 - 2021-01-27
8.24.1 - 2020-12-31
8.24.0 - 2020-12-30
8.23.1 - 2020-11-03
8.23.0 - 2020-10-26
8.22.2 - 2020-08-31
8.22.1 - 2020-08-31
8.22.0 - 2020-08-05
8.21.0 - 2020-07-22
8.20.5 - 2020-06-30
8.20.4 - 2020-06-03
8.20.3 - 2020-05-16
8.20.2 - 2020-05-15
8.20.1 - 2020-05-07
8.20.0 - 2020-05-06
8.17.1 - 2020-04-15
8.17.0 - 2020-04-09
8.16.2 - 2020-03-19
8.16.1 - 2020-03-19
8.16.0 - 2020-02-10
8.15.0 - 2020-02-04
8.14.4 - 2020-01-09
8.14.3 - 2020-01-09
8.14.1 - 2020-01-08
8.14.0 - 2020-01-07
8.13.2 - 2019-12-10
8.13.1 - 2019-12-10
8.13.0 - 2019-12-06
8.12.0 - 2019-11-21
8.11.1 - 2019-11-17
8.11.0 - 2019-11-15
8.10.1 - 2019-11-12
8.10.0 - 2019-11-11
8.9.0 - 2019-10-08
8.8.4 - 2019-09-30
8.8.3 - 2019-09-30
8.8.2 - 2019-09-27
8.8.1 - 2019-09-24
8.8.0 - 2019-09-20
8.7.4 - 2019-09-17
8.7.3 - 2019-09-16
8.7.2 - 2019-09-16
8.7.1 - 2019-09-12
8.7.0 - 2019-09-11
8.6.0 - 2019-08-07
8.5.1 - 2019-07-26
8.5.0 - 2019-07-23
8.3.4 - 2019-06-12
8.3.3 - 2019-05-24
8.3.0 - 2019-04-22
8.2.0 - 2019-04-12
8.1.1 - 2019-03-21

from bitcore-mnemonic GitHub release notes

Package name: crypto-js

3.3.0 - 2020-02-12
No content.
3.2.1 - 2020-02-11
No content.
3.2.0 - 2020-02-10
No content.
3.1.9-1 - 2016-12-14
No content.
3.1.8 - 2016-10-27
No content.

from crypto-js GitHub release notes

Package name: elliptic

from elliptic GitHub release notes

Package name: ethereumjs-util

6.2.1 - 2020-07-16
Other Features
- Stricter prefixed hex typing, PRs #3348, #3427 and #3357 (some changes removed in PR #3382 for backwards compatibility reasons, will be reintroduced along upcoming breaking releases)
Bugfixes
- Fixes an issue in the delete operation used for unhashed tries and pruning activated which resulted in a wrong state root (bad!), PR #3333
6.2.0 - 2019-11-07
6.1.0 - 2019-02-12

from ethereumjs-util GitHub release notes

Package name: rlp

2.2.7 - 2021-10-06
2.2.6 - 2020-07-16
2.2.5 - 2020-05-26
2.2.4 - 2019-11-01
2.2.3 - 2019-03-19

from rlp GitHub release notes

Package name: tweetnacl

1.0.3 - 2020-02-10
IMPORTANT BUG FIX. Due to a bug in calculating carry in
modulo reduction that used bit operations on integers larger than
32 bits, nacl.sign or nacl.sign.detached could have created
incorrect signatures.

This only affects signing, not verification.

Thanks to @ valerini on GitHub for finding and reporting the bug.
1.0.2 - 2020-01-16
Exported more internal undocumented functions for
third-party projects that rely on low-level interface,
(something users of TweetNaCl shouldn't care about).
1.0.1 - 2019-01-24
- Fixed TypeScript typings (#157)
- Rebuilt using newer version of Uglify-js.

from tweetnacl GitHub release notes

Package name: tweetnacl-util

0.15.1 - 2020-01-29
0.15.1
0.15.0 - 2017-03-19
- Added validation of base64-encoded input: decodeBase64 will throw if the string contains invalid characters. If you want to ignore whitespace, you should remove it before passing to decoder. (Previously only browser version would throw in this case. Turns out Node.js Buffer doesn't validate encoding at all, for "performance" reasons — that is, it returns some kind of output even for invalid input — for example Buffer.from("бред", "base64") results in <Buffer d7 9e> — which is ridiculous.)
- Buffer.from is now used on modern Node.js versions (versions that don't have from will continue using the deprecated constructor.)
This is the last version to be published on Bower: for simplicity, newer versions will only be published on NPM.

from tweetnacl-util GitHub release notes

Important

Check the changes in this PR to ensure they won't cause issues with your project.
This PR was automatically created by Snyk using the credentials of a real user.
Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

📜 Customise PR templates

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade: - bitcore-lib from 8.1.1 to 8.25.47. See this package in npm: https://www.npmjs.com/package/bitcore-lib - bitcore-mnemonic from 8.1.1 to 8.25.47. See this package in npm: https://www.npmjs.com/package/bitcore-mnemonic - crypto-js from 3.1.8 to 3.3.0. See this package in npm: https://www.npmjs.com/package/crypto-js - elliptic from 6.4.1 to 6.5.7. See this package in npm: https://www.npmjs.com/package/elliptic - ethereumjs-util from 6.1.0 to 6.2.1. See this package in npm: https://www.npmjs.com/package/ethereumjs-util - rlp from 2.2.3 to 2.2.7. See this package in npm: https://www.npmjs.com/package/rlp - tweetnacl from 1.0.1 to 1.0.3. See this package in npm: https://www.npmjs.com/package/tweetnacl - tweetnacl-util from 0.15.0 to 0.15.1. See this package in npm: https://www.npmjs.com/package/tweetnacl-util See this project in Snyk: https://app.snyk.io/org/sammyfilly/project/8f51c66c-fdd1-4b81-a5aa-48a92bf04fe6?utm_source=github&utm_medium=referral&page=upgrade-pr

stackblitz · 2024-09-07T17:20:40Z

Run & review this pull request in StackBlitz Codeflow.

changeset-bot · 2024-09-07T17:20:40Z

⚠️ No Changeset found

Latest commit: df46da8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

sourcery-ai

We have skipped reviewing this pull request. Here's why:

It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
We don't review packaging changes - Let us know if you'd like us to change this.

sourcery-ai bot reviewed Sep 7, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade: bitcore-lib, bitcore-mnemonic, crypto-js, elliptic, ethereumjs-util, rlp, tweetnacl, tweetnacl-util #14

[Snyk] Upgrade: bitcore-lib, bitcore-mnemonic, crypto-js, elliptic, ethereumjs-util, rlp, tweetnacl, tweetnacl-util #14

X-oss-byte commented Sep 7, 2024

Other Features

Bugfixes

stackblitz bot commented Sep 7, 2024

changeset-bot bot commented Sep 7, 2024

sourcery-ai bot left a comment

[Snyk] Upgrade: bitcore-lib, bitcore-mnemonic, crypto-js, elliptic, ethereumjs-util, rlp, tweetnacl, tweetnacl-util #14

Are you sure you want to change the base?

[Snyk] Upgrade: bitcore-lib, bitcore-mnemonic, crypto-js, elliptic, ethereumjs-util, rlp, tweetnacl, tweetnacl-util #14

Conversation

X-oss-byte commented Sep 7, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

Other Features

Bugfixes

stackblitz bot commented Sep 7, 2024

changeset-bot bot commented Sep 7, 2024

⚠️ No Changeset found

sourcery-ai bot left a comment

Choose a reason for hiding this comment