[Snyk] Fix for 14 vulnerabilities #1

snyk-bot · 2023-02-15T17:49:05Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-NUNJUCKS-1079083	No	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	No	No Known Exploit
596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: elliptic

The new version differs by 5 commits.

43ac7f2 6.5.4
f4bc72b package: bump deps
441b742 ec: validate that a point before deriving keys
e71b2d9 lib: relint using eslint
8421a01 build(deps): bump elliptic from 6.4.1 to 6.5.3 (Redirect to my project lists and add to my BlockchainID extension bnb-chain/bsc-genesis-contract#231)

See the full diff

Package name: ethereum-input-data-decoder

The new version differs by 20 commits.

1a2484b Bump version
863273a Merge branch 'roderik-master'
9469a28 fix: upgrade meow to fix CVE issues
a19603a Bump version
0c012ff Merge branch 'alexcampbelling-fix/nested-tuple-array'
1613760 Merge branch 'fix/nested-tuple-array' of https://github.com/alexcampbelling/ethereum-input-data-decoder into alexcampbelling-fix/nested-tuple-array
3b89e05 Update package.json
bfbd0c1 Merge branch 'NunoAlexandre-master'
e4e4cf4 Make lib importable on typescript projects
2940c6e Typuple type to null
736e176 Comments
b170a4a removed comments
d54eea8 builds
ff9b3e9 Cleaned up recursive base cases in which types were being indexed where they shouldn't be
a9dd15c Semver match original style
ed05ad0 Builds
4009c02 Recursive tuple strip and 2 new tests
47e5756 handle tuple array of arrays
4564b82 Add cli alias
7a140bd Update README

See the full diff

Package name: minimist

The new version differs by 4 commits.

7efb22a 1.2.6
ef88b93 security notice for additional prototype pollution issue
c2b9819 isConstructorOrProto adapted from PR
bc8ecee test from prototype pollution PR

See the full diff

Package name: nunjucks

The new version differs by 34 commits.

fd50090 Release v3.2.3
d34fdbf Temporarily comment out codecov action
cefad41 Replace README.md travis badge with github actions
7601ff4 Fixup github actions workflow file
de9dc67 Add GitHub Workflow for tests. fixes #1333
aa9e5b9 Fix prototype pollution security issue. fixes #1331
f51afa3 Move chokidar to peerDependencies and make it optional via peerDependenciesMeta (#1329)
f91f1c3 Fix `groupby` example formatting
7ef121c Add base and default args to int filter
0c02062 Use attribute getter for `sort` filter
c7337e7 Release v3.2.2
bea3a43 CHANGELOG: Fix issue link
8186d4f Don't append extra newline when using |indent filter
73a4eb3 Document `with context` behavior for `import` directive (fr)
eea081c Document `with context` behavior for `import` directive
bbcbaf3 Fix issue where sync render would not raise errors in included templates
63c4baf Remove development files from NPM package. Fixes #984
85918ef Document `if` statement with multiple conditions (fr). refs #1284
7ddd747 Document `if` statement with multiple conditions
1e29863 Add support for nested attributes in `groupBy` filter. Fixes #1198
7087fa9 Fix precompile bin TypeError: name.replace is not a function
1736334 Modify CHANGELOG message for select/reject filters
62565a1 Add `reject` filter
647fc11 Change version query

See the full diff

Package name: solidity-bytes-utils

The new version differs by 41 commits.

e93b867 Add deleted set of memory variables accidentally deleted with the last PR to master
fa2792e Revert version constraints back to `^0.5.0` in order to enhance compatibility
425edac Merge branch 'master' into develop
7727420 Change truffle config file to always use the right compielr version
87e1c28 Add eth lint (R4R: add parameters to bind event to facilitate reconciliation bnb-chain/bsc-genesis-contract#30)
1b55da7 Revert "Publish to GitHub package manager"
0cfd42f Publish to GitHub package manager
8f91f5d Merge branch 'master' into develop
e3d1f68 Fix for new truffle version breaking Codeship CI
8183d09 Merge branch 'master' into develop
5f91a80 Hotfix for correct EPM deployment
cd17878 Bump version to 0.0.8
541c524 Update dependencies
de03428 Merge branch 'master' into develop
db88c30 Fix README with correct example of import from NPM
658e88b Implement toUintXX for 64, 96 and 128 bits (R4R: mark some methods as read only bnb-chain/bsc-genesis-contract#25)
3222bc1 Fix typo in package-lock.json
40adf99 Merge branch 'master' into develop
5741a27 Update dependency versions
e177b3b Bump version in package-lock.json
5670587 Bump version to v0.0.7
9df9e9b Update package-lock.json
d942a00 (WIP) Upgrade to Solidity v0.5.0 (R4R: fix miniToken checker issue bnb-chain/bsc-genesis-contract#21)
4f5a1a9 Merge branch 'develop' of github.com:GNSPS/solidity-bytes-utils into develop

See the full diff

Package name: web3

The new version differs by 169 commits.

02895cb Build for 1.7.5
34f6b68 v1.7.5
195f01d Manual build commit for 1.7.5-rc.1
b640e26 v1.7.5-rc.1
96a7935 npm i
9476964 Merge branch '1.x' into release/1.7.5
84ac9b7 Fixed unit tests & removed dead code for web3-providers-http (#5228) (#5264)
2dcf142 Manual build commit for 1.7.5-rc.0
ba30e1d v1.7.5-rc.0
c93940b npm i and CHANGELOG update for 1.7.5 release
fc7bfcd 1.x Libs Update including parse-url (#5254)
ca827a7 fix Promise in Accounts.signTransaction() throwing errors that cannot be caught #4724 (#5080) (#5252)
35d8f7f Update AbstractProvider with correct typing (#5206)
57b6dc4 Add createAccessList type (#5146) (#5204)
46b5a5b fix remove wallet using an index when an account address and address lowercase are equal #5049 (#5050) (#5202)
2a1308f Fix transactionRoot -> transactionsRoot in BlockHeader (#5083) (#5197)
9e0d9d1 hexToNumber: return BigInt if result is bigger than max integer (#5157)
555aa0d web3-providers-http: Migrate from xhr2-cookies to cross-fetch (#5179)
c034b8d Update `got` dependency for `web3-bzz` package (#5178)
aae9d4a Updates on `README.md` Format (#5115)
8f05f19 Fixed documentation for web3.eth.accounts.signTransaction (#5121)
5b10473 Fix typo (#5116)
18da528 fix typos in web3-eth-accounts.rst & TESTING.md #5047 (#5048)
e9ab4a5 Typo foudn (#5142)