This repository has been archived by the owner on Dec 11, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 43
chore(deps): update dependency web3 [security] #376
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-web3-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
New dependencies detected. Learn more about Socket for GitHub ↗︎
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
renovate
bot
changed the title
chore(deps): update dependency web3 to v1.10.4 [security]
chore(deps): update dependency web3 to v1.10.4 [security] - autoclosed
Apr 18, 2024
renovate
bot
changed the title
chore(deps): update dependency web3 to v1.10.4 [security] - autoclosed
chore(deps): update dependency web3 to v1.10.4 [security]
Apr 19, 2024
renovate
bot
force-pushed
the
renovate/npm-web3-vulnerability
branch
from
April 19, 2024 06:52
c6a1e90
to
a6d3f6a
Compare
renovate
bot
force-pushed
the
renovate/npm-web3-vulnerability
branch
from
June 7, 2024 05:36
a6d3f6a
to
4b7bc62
Compare
renovate
bot
force-pushed
the
renovate/npm-web3-vulnerability
branch
from
June 18, 2024 20:57
4b7bc62
to
8edf13e
Compare
renovate
bot
changed the title
chore(deps): update dependency web3 to v1.10.4 [security]
chore(deps): update dependency web3 [security]
Jun 18, 2024
renovate
bot
force-pushed
the
renovate/npm-web3-vulnerability
branch
from
July 23, 2024 23:43
8edf13e
to
b9f36e1
Compare
renovate
bot
force-pushed
the
renovate/npm-web3-vulnerability
branch
from
October 10, 2024 02:28
b9f36e1
to
a9527ef
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/npm-web3-vulnerability
branch
from
December 3, 2024 23:44
a9527ef
to
d299a9f
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.8.1
->1.8.2
1.3.6
->1.5.3
Insecure Credential Storage in web3
GHSA-27v7-qhfv-rqq8
More information
Details
All versions of
web3
are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
ChainSafe/web3.js (web3)
v1.8.2
Compare Source
Changed
crypto-browserify
module is now used only in webpack builds for polyfilling browsers (#5629)ethereumjs-util
to7.1.5
(#5629)lerna
4 to version 6 (#5680)Fixed
web3.utils._jsonInterfaceMethodToString
(#5550)Removed
clean-webpack-plugin
has been removed from dev-dependencies (#5629)Added
https-browserify
,process
,stream-browserify
,stream-http
,crypto-browserify
added to dev-dependencies for polyfilling (#5629)readable-stream
to dev-dependancies for webpack (#5629)Security
npm audit fix
for libraries update (#5726)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.