[Snyk] Upgrade: lodash, elliptic, rlp, ethereum-input-data-decoder, mem, minimist, nunjucks, openzeppelin-solidity, solidity-bytes-utils, truffle-flattener, web3

[BitcoinOutput]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

lodash
from 4.17.19 to 4.17.21 | 2 versions ahead of your current version | 4 years ago
on 2021-02-20
elliptic
from 6.5.3 to 6.5.7 | 4 versions ahead of your current version | a month ago
on 2024-08-14
rlp
from 2.2.5 to 2.2.7 | 2 versions ahead of your current version | 3 years ago
on 2021-10-06
ethereum-input-data-decoder
from 0.3.0 to 0.4.2 | 7 versions ahead of your current version | 2 years ago
on 2022-07-30
mem
from 6.1.0 to 6.1.1 | 1 version ahead of your current version | 4 years ago
on 2020-08-29
minimist
from 1.2.5 to 1.2.8 | 3 versions ahead of your current version | 2 years ago
on 2023-02-09
nunjucks
from 3.2.0 to 3.2.4 | 4 versions ahead of your current version | a year ago
on 2023-04-13
openzeppelin-solidity
from 3.0.0-rc.0 to 3.4.2 | 18 versions ahead of your current version | 3 years ago
on 2021-08-26
solidity-bytes-utils
from 0.0.8 to 0.8.2 | 7 versions ahead of your current version | 8 months ago
on 2024-01-15
truffle-flattener
from 1.4.4 to 1.6.0 | 2 versions ahead of your current version | 3 years ago
on 2022-02-12
web3
from 1.3.1 to 1.10.4 | 61 versions ahead of your current version | 7 months ago
on 2024-02-05

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	539	No Known Exploit
	Prototype Pollution SNYK-JS-NUNJUCKS-1079083	539	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	539	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	539	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	539	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	539	No Known Exploit
	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	539	No Known Exploit
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	539	Proof of Concept
	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	539	Proof of Concept
	Arbitrary File Write SNYK-JS-TAR-1579152	539	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579155	539	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579147	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	539	Proof of Concept
	Prototype Pollution SNYK-JS-ASYNC-2441827	539	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	539	No Known Exploit
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	539	No Known Exploit
	Code Injection SNYK-JS-LODASH-1040724	539	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	539	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	539	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	539	Proof of Concept
	Prototype Pollution SNYK-JS-Y18N-1021887	539	Proof of Concept
	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	539	No Known Exploit
	Information Exposure SNYK-JS-NODEFETCH-2342118	539	No Known Exploit
	Denial of Service SNYK-JS-NODEFETCH-674311	539	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-NUNJUCKS-5431309	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	539	Proof of Concept
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	539	No Known Exploit
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	539	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	539	Proof of Concept
	Open Redirect SNYK-JS-GOT-2932019	539	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	539	Proof of Concept
	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	539	Proof of Concept

Release notes

Package name: lodash

• 4.17.21 - 2021-02-20
  

  Bump to v4.17.21

• 4.17.20 - 2020-08-13
  

  Bump to v4.17.20.

• 4.17.19 - 2020-07-08
  

  Bump to v4.17.19

from lodash GitHub release notes

Package name: elliptic

• 6.5.7 - 2024-08-14
  

  6.5.7

• 6.5.6 - 2024-07-17
  

  6.5.6

• 6.5.5 - 2024-03-05
  

  6.5.5

• 6.5.4 - 2021-02-02
  

  6.5.4

• 6.5.3 - 2020-06-18
  

  6.5.3

from elliptic GitHub release notes

Package name: rlp

• 2.2.7 - 2021-10-06
• 2.2.6 - 2020-07-16
• 2.2.5 - 2020-05-26

from rlp GitHub release notes

Package name: ethereum-input-data-decoder

• 0.4.2 - 2022-07-30
• 0.4.1 - 2022-03-16
• 0.4.0 - 2022-02-10
• 0.3.5 - 2021-09-11
• 0.3.4 - 2021-08-22
• 0.3.2 - 2021-03-31
• 0.3.1 - 2020-07-23
• 0.3.0 - 2019-12-23

from ethereum-input-data-decoder GitHub release notes

Package name: mem

• 6.1.1 - 2020-08-29
  
  • Slightly improve performance (#57) ea88c5c
  • Revert "Automatically use WeakMap when possible" (#58) 3ffde5d

  v6.1.0...v6.1.1

• 6.1.0 - 2020-04-12
  
  • Automatically use WeakMap when possible (#56) e8bb86c

  v6.0.1...v6.1.0

from mem GitHub release notes

Package name: minimist

• 1.2.8 - 2023-02-09
  

  v1.2.8

• 1.2.7 - 2022-10-11
  

  v1.2.7

• 1.2.6 - 2022-03-22
  

  v1.2.6

• 1.2.5 - 2020-03-12
  

  v1.2.5

from minimist GitHub release notes

Package name: nunjucks

• 3.2.4 - 2023-04-13
  

  What's Changed

  • fix: html encode backslashes if used with escape filter or autoescape by @ fdintino in #1437. Fixes CVE-2023-2142
    (bugzilla #1825980)

  Full Changelog: v3.2.3...v3.2.4

• 3.2.3 - 2021-02-15
  
  • Add support for nested attributes on sort filter; respect throwOnUndefined if sort attribute is undefined.
  • Add base arg to int filter.
  • Move chokidar to peerDependencies and mark it optional in peerDependenciesMeta.
  • Fix prototype pollution issue for template variables. Merge of #1330; fixes #1331. Thanks ChenKS12138!
• 3.2.2 - 2020-07-20
  
  • Add select and reject filters. Merge of #1278 and #1279; fixes #282. Thanks ogonkov!
  • Fix precompile binary script TypeError: name.replace is not a function. Fixes #1295.
  • Add support for nested attributes on groupby filter; respect throwOnUndefined option, if the groupby attribute is undefined. Merge of #1276; fixes #1198. Thanks ogonkov!
  • Fix bug that prevented errors in included templates from being raised when rendering templates synchronously. Fixes #1272.
  • The indent filter no longer appends an additional newline. Fixes #1231.
• 3.2.1 - 2020-03-17
  
  • Replace yargs with commander to reduce number of dependencies. Merge of #1253. Thanks AlynxZhou.
  • Update optional dependency chokidar from ^2.0.0 to ^3.3.0. Merge of #1254. Thanks eklingen.
  • Prevent optional dependency Chokidar from loading when not watching. Merge of #1250. Thanks eklingen.
• 3.2.0 - 2019-03-05
  
  • Adds NodeResolveLoader, a Loader that loads templates using node's require.resolve. Fixes #1175.
  • Emit 'load' events on Environment instances, to allow runtime dependency tracking. Fixes #1153.

from nunjucks GitHub release notes

Package name: openzeppelin-solidity

• 3.4.2 - 2021-08-26
  
  • TimelockController: Add additional isOperationReady check.
• 3.4.2-solc-0.7 - 2021-08-26
  
  • TimelockController: Add additional isOperationReady check.
• 3.4.1 - 2021-03-03
• 3.4.1-solc-0.7 - 2021-03-03
  

  3.4.1-solc-0.7

• 3.4.0 - 2021-02-02
• 3.4.0-rc.0 - 2021-01-26
• 3.3.0 - 2020-11-26
• 3.3.0-rc.2 - 2020-11-24
• 3.3.0-rc.1 - 2020-11-18
• 3.3.0-rc.0 - 2020-11-17
• 3.2.0 - 2020-09-10
• 3.2.0-rc.0 - 2020-09-03
• 3.1.0 - 2020-06-23
• 3.1.0-rc.0 - 2020-06-11
• 3.0.2 - 2020-06-08
• 3.0.1 - 2020-04-27
• 3.0.0 - 2020-04-20
• 3.0.0-rc.1 - 2020-04-03
• 3.0.0-rc.0 - 2020-03-16

from openzeppelin-solidity GitHub release notes

Package name: solidity-bytes-utils

• 0.8.2 - 2024-01-15
  

  chore: release version 0.8.2

• 0.8.1 - 2023-12-13
  

  chore: release version 0.8.1

• 0.8.0 - 2021-04-12
  

  This version introduces breaking changes to support the new Solidity v0.8.x syntax.

  It also marks a new versioning system that will always match Solidity's major version, that is how you can assess compatibility going forward.

  ❤️

• 0.1.2 - 2021-01-07
• 0.1.1 - 2020-10-01
  

  Please update to this version that fully mitigates the memory corruption bug disclosed on October 1st.

  Thank you to @ shanefontaine for reviewing the fixes!

• 0.1.0 - 2020-09-30
  

  With this version we up the minor version in an attempt to signal the importance of the fix in an, otherwise, very stable project for a while.

  From the README:

  There was a critical bug in the slice method, reported on an audit to a DXDao codebase.

  Previously, no checks were being made on overflows of the _start and _length parameters since previous reviews of the codebase deemed this overflow "unexploitable" because of an inordinate expansion of memory (i.e., reading an immensely large memory offset causing huge memory expansion) resulting in an out-of-gas exception.

  However, as noted in the review mentioned above, this is not the case. The slice method in versions <=0.9.0 actually allows for arbitrary kind of (i.e., it allows memory writes to very specific values) arbitrary memory writes _in the specific case where these parameters are user-supplied inputs and not hardcoded values (which is uncommon).

  This made me realize that in permissioned blockchains where gas is also not a limiting factor this could become problematic in other methods and so I updated all typecasting-related methods to include new bound checks as well.

  TL;DR: if you're using the slice method with user-supplied inputs in your codebase please update the bytes library immediately!

• 0.0.9 - 2020-07-03
• 0.0.8 - 2019-06-26
  

  Changelog:

  • This version introduces all the missing unsigned integer typecasting methods (uint64, uint96, uint128). Thank you @ bh2smith for his contribution! 🎉

from solidity-bytes-utils GitHub release notes

Package name: truffle-flattener

• 1.6.0 - 2022-02-12
• 1.5.0 - 2020-09-13
  

  The new version of truffle-flattener supports Solidity 0.7, and works out of the box with Buidler.

• 1.4.4 - 2020-05-02

from truffle-flattener GitHub release notes

Package name: web3

• 1.10.4 - 2024-02-05
• 1.10.4-dev.0 - 2024-01-31
• 1.10.3 - 2023-10-18
• 1.10.3-dev.0 - 2023-10-16
• 1.10.2 - 2023-08-28
• 1.10.1 - 2023-08-14
• 1.10.1-rc.0 - 2023-08-08
• 1.10.0 - 2023-05-10
• 1.10.0-rc.0 - 2023-05-02
• 1.9.0 - 2023-03-20
• 1.9.0-rc.0 - 2023-03-07
• 1.8.2 - 2023-01-30
• 1.8.2-rc.0 - 2023-01-11
• 1.8.1 - 2022-11-10
• 1.8.1-rc.0 - 2022-10-28
• 1.8.0 - 2022-09-14
• 1.8.0-rc.0 - 2022-09-08
• 1.7.5 - 2022-08-01
• 1.7.5-rc.1 - 2022-07-19
• 1.7.5-rc.0 - 2022-07-15
• 1.7.4 - 2022-06-21
• 1.7.4-rc.2 - 2022-06-16
• 1.7.4-rc.1 - 2022-06-08
• 1.7.4-rc.0 - 2022-05-17
• 1.7.3 - 2022-04-08
• 1.7.3-rc.0 - 2022-04-07
• 1.7.2 - 2022-04-07
• 1.7.2-rc.0 - 2022-03-24
• 1.7.1 - 2022-03-03
• 1.7.1-rc.0 - 2022-02-10
• 1.7.0 - 2022-01-17
• 1.7.0-rc.0 - 2021-12-09
• 1.6.1 - 2021-11-15
• 1.6.1-rc.3 - 2021-11-10
• 1.6.1-rc.2 - 2021-10-27
• 1.6.1-rc.0 - 2021-10-09
• 1.6.0 - 2021-09-30
• 1.6.0-rc.0 - 2021-09-26
• 1.5.3 - 2021-09-22
• 1.5.3-rc.0 - 2021-09-10
• 1.5.2 - 2021-08-15
• 1.5.2-rc.0 - 2021-08-15
• 1.5.1 - 2021-08-05
• 1.5.1-rc.1 - 2021-08-05
• 1.5.1-rc.0 - 2021-07-31
• 1.5.0 - 2021-07-28
• 1.5.0-rc.1 - 2021-07-24
• 1.5.0-rc.0 - 2021-07-21
• 1.4.0 - 2021-06-30
• 1.4.0-rc.0 - 2021-06-25
• 1.3.6 - 2021-05-14
• 1.3.6-rc.2 - 2021-05-13
• 1.3.6-rc.1 - 2021-05-09
• 1.3.5 - 2021-04-05
• 1.3.5-rc.0 - 2021-03-24
• 1.3.4 - 2021-02-03
• 1.3.4-rc.2 - 2021-01-28
• 1.3.4-rc.1 - 2021-01-26
• 1.3.3 - 2021-01-22
• 1.3.2 - 2021-01-21
• 1.3.2-rc.2 - 2021-01-21
• 1.3.1 - 2020-12-17

from web3 GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs