Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security alert on install from ethers, ws #920

Closed
jacque006 opened this issue Dec 11, 2024 · 4 comments · Fixed by #921
Closed

Security alert on install from ethers, ws #920

jacque006 opened this issue Dec 11, 2024 · 4 comments · Fixed by #921
Labels
bug 🐛 Something isn't working

Comments

@jacque006
Copy link
Contributor

Describe the bug
When installing the latest @semaphore-protocol/core (v4.7.2) & running npm audit, the following alert appears:

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
No fix available
node_modules/ws
  ethers  6.0.0-beta.1 - 6.13.0
  Depends on vulnerable versions of ws
  node_modules/ethers
    @semaphore-protocol/proof  >=4.0.0-alpha
    Depends on vulnerable versions of ethers
    node_modules/@semaphore-protocol/proof
      @semaphore-protocol/core  *
      Depends on vulnerable versions of @semaphore-protocol/proof
      node_modules/@semaphore-protocol/core

To Reproduce

  1. npm install @semaphore-protocol/core (Note some older versions may have this alert as well)
  2. npm audit

Expected behavior
No security alert is present. This has been fixed in ethers >= v6.13.1 https://github.com/ethers-io/ethers.js/releases/tag/v6.13.1.

Note that since this is a server-side ws issue, it is unlikely have an impact barring some exceptional use cases (Using Semaphore's ether's ws version on server)

Technologies (please complete the following information):

  • Node.js v20.18.1
  • NPM 10.8.2

Additional context
I will open PR to address by updating ethers version. Feel free to assign this issue to me.
@jacque006 jacque006 added the bug 🐛 Something isn't working label Dec 11, 2024
@jacque006
Copy link
Contributor Author

Would it also be valuable to add checks either in CI or a yarn command/script that fails if it detects a Severity: high in a dep?

jacque006 added a commit to jacque006/semaphore that referenced this issue Dec 11, 2024
@jacque006
fix(core): bump ethers to v6.13.4
dcd9182 
Update ethers version to resolve ws security issue (CVE-2024-37890).
Move contract address check outside of branch statement so Typescript can see.
Add build instructions to setup to resolve 'Cannot find module '@semaphore-protocol/...' when
running tests for the first time.

re semaphore-protocol#920
@jacque006 jacque006 mentioned this issue Dec 11, 2024
Merged
7 tasks
@cedoor
Copy link
Member

cedoor commented Dec 12, 2024
edited
Loading

Would it also be valuable to add checks either in CI or a yarn command/script that fails if it detects a Severity: high in a dep?

Yes, I think it's definitely valuable! Do you want to open another issue for it?

cedoor pushed a commit that referenced this issue Dec 12, 2024
@jacque006
fix(core): bump ethers to v6.13.4 (#921)
13a9480 
Update ethers version to resolve ws security issue (CVE-2024-37890).
Move contract address check outside of branch statement so Typescript can see.
Add build instructions to setup to resolve 'Cannot find module '@semaphore-protocol/...' when
running tests for the first time.

re #920
@jacque006 jacque006 mentioned this issue Dec 12, 2024
Open
@jacque006
Copy link
Contributor Author

@cedoor Done #922

@cedoor
Copy link
Member

cedoor commented Dec 13, 2024

Thanks @jacque006 🙏🏽

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(core): bump ethers to v6.13.4 jacque006/semaphore
2 participants
@jacque006 @cedoor