Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update node #878

Closed
wants to merge 5 commits into from
Closed

Update node #878

wants to merge 5 commits into from

Conversation

Westlad
Copy link
Contributor

@Westlad Westlad commented Aug 16, 2022
edited
Loading

fixes #876
Updates node to v16.16 (latest lts) and npm to 8.17.

Use of node 8 enables vulnerable dependencies to be overridden with the overrides keyword in package.json. This is required to address a vulnerability in got; web3js depends on a vulnerable version.

@Westlad Westlad added the DNM Do not merge label Aug 16, 2022
@daveroga daveroga force-pushed the westlad/node-update branch 2 times, most recently from 49eda8c to 12f3997 Compare August 19, 2022 03:21
@daveroga daveroga self-assigned this Aug 19, 2022
@daveroga daveroga force-pushed the westlad/node-update branch 2 times, most recently from 92a4edf to 12f3997 Compare August 19, 2022 16:36
@daveroga
Copy link
Contributor

daveroga commented Aug 22, 2022
edited
Loading

Having problems with swarm-js dependency in web3. Already known in web3 project and reported web3/web3.js#5315 but web3 still using this library with vulnerability in last version 1.7.5.

So I will leave this PR until we have a solution and will open a spike for figuring out the impact of moving web3 to ethers in these projects (#888) in the case web3 is not solving this vulnerability in new versions.

@israelboudoux israelboudoux mentioned this pull request Aug 22, 2022
Closed
@israelboudoux
Copy link
Contributor

israelboudoux commented Aug 22, 2022
edited
Loading

We are still having issues regarding dependency vulnerabilities because a transient dependency web3 -> web3-bzz -> swarm-js that isn't maintained anymore and has a dep on a got vulnarable version. There is a pending PR in the swarm-js repo which would solve this, I've added a comment referring to the maintainers to see if they can merge it, but probably won't be enough since when @daveroga forced the update to the latest version of got for swarm-js, the Proposer started to fail.

@pawelgrzybek
Copy link
Contributor

Looks like we have two very similar PRs.
#908

@Westlad
Copy link
Contributor Author

Westlad commented Sep 7, 2022

Oh blast, I forgot I opened this before I went on leave. I'll close it as #908 is more current and has @pawelgrzybek 's suggestions incorporated.

@Westlad Westlad closed this Sep 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@daveroga daveroga

Labels
Changes to deployment DNM Do not merge Merge conflict
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

upgrade Node to latest lts
5 participants
@Westlad @daveroga @israelboudoux @pawelgrzybek @druiz0992