[Snyk] Upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6 #3

snyk-io · 2024-05-22T19:37:52Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 11 versions ahead of your current version.
The recommended version was released 3 months ago, on 2024-02-29.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Incorrect Calculation SNYK-JS-OPENZEPPELINCONTRACTS-3339525	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Incorrect Calculation SNYK-JS-OPENZEPPELINCONTRACTS-3339527	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Improper Input Validation SNYK-JS-OPENZEPPELINCONTRACTS-5425051	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Improper Input Validation SNYK-JS-OPENZEPPELINCONTRACTS-5711902	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Improper Encoding or Escaping of Output SNYK-JS-OPENZEPPELINCONTRACTS-5838352	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Out-of-bounds Read SNYK-JS-OPENZEPPELINCONTRACTS-6346765	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Denial of Service (DoS) SNYK-JS-OPENZEPPELINCONTRACTS-5425827	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit
Missing Authorization SNYK-JS-OPENZEPPELINCONTRACTS-5672116	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00064, Social Trends: No, Days since published: 444, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 97, Impact: 2.35, Likelihood: 2.52, Score Version: V5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: @openzeppelin/contracts

4.9.6 - 2024-02-29
- Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)
4.9.5 - 2023-12-08
- Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).
4.9.4 - 2023-12-07
- ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
- Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.
4.9.3 - 2023-07-28

Note
This release contains a fix for GHSA-g4vp-m682-qqmp.
- ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
- ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)
4.9.2 - 2023-06-16
4.9.1 - 2023-06-07
4.9.0 - 2023-05-23
4.9.0-rc.1 - 2023-05-17
4.9.0-rc.0 - 2023-05-09
4.8.3 - 2023-04-13
4.8.2 - 2023-03-02
4.8.1 - 2023-01-13

from @openzeppelin/contracts GitHub release notes

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Note: This is a default PR template raised by Snyk. Find out more about how you can customise Snyk PRs in our documentation.

Snyk has created this PR to upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6. See this package in npm: @openzeppelin/contracts See this project in Snyk: https://app.snyk.io/org/hawthorne001/project/92741d18-d05f-4dd2-9b15-54188d505904?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr

socket-security · 2024-05-22T19:42:47Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@openzeppelin/contracts@4.9.6	None	`0`	2.02 MB	frangio
pypi/markdown-it-py@3.0.0	eval, filesystem, shell	`0`	264 kB	cjsewell, ebp-bot
pypi/markdown@3.6	environment, eval, filesystem	`0`	1.77 MB	facelessuser, qaramazov, waylan
pypi/markupsafe@2.1.5	environment, unsafe	`0`	143 kB
pypi/matplotlib-inline@0.1.7	network	`0`	27.6 kB	Sylvain.Corlay, fperez, martinRenou, ...1 more
pypi/mdurl@0.1.2	None	`0`	25.7 kB	hukkin
pypi/mergedeep@1.3.4	filesystem	`0`	24.3 kB	clarketm
pypi/mike@2.1.1	environment, filesystem, network, shell	`0`	145 kB	jimporter
pypi/mkdocs-autorefs@1.0.0	environment	`0`	55.7 kB	oprypin, pawamoy
pypi/mkdocs-material-extensions@1.3.1	None	`0`	37.6 kB	facelessuser
pypi/mkdocs-material@9.5.24	environment, eval, filesystem, network	`0`	14 MB	squidfunk
pypi/mkdocs@1.6.0	environment, eval, filesystem, network, shell	`0`	6.87 MB	d0ugal, mkdocsdeploy, oprypin, ...2 more
pypi/mkdocstrings-python@1.10.3	None	`0`	0 B
pypi/mkdocstrings@0.25.1	environment, filesystem	`0`	111 kB	oprypin, pawamoy
pypi/multidict@6.0.5	environment, shell, unsafe	`0`	685 kB	Andrew.Svetlov, webknjaz
pypi/mypy-extensions@1.0.0	None	`0`	11.5 kB	guido, hauntsaninja, ilevkivskyi, ...2 more
pypi/networkx@3.3	environment, eval, filesystem, shell, unsafe	`0`	8.61 MB	MridulS, dschult, hagberg, ...2 more
pypi/packaging@24.0	environment, eval, filesystem, shell	`0`	2.4 MB	brettcannon, dstufft, pf_moore, ...1 more
pypi/parsimonious@0.10.0	eval, filesystem	`0`	190 kB	erikrose, lonnen, lucaswiman
pypi/parso@0.8.4	environment, eval, filesystem, shell, unsafe	`0`	871 kB	David.Halter
pypi/pathspec@0.12.1	filesystem	`0`	217 kB	cpburnz
pypi/pathvalidate@3.2.0	environment, eval, filesystem	`0`	192 kB	thombashi
pypi/pbr@6.0.0	environment, filesystem, network, shell	`0`	426 kB	openstackci
pypi/pexpect@4.9.0	environment, eval, filesystem, network, shell, unsafe	`0`	659 kB	Red_M, jquast, luyer, ...2 more
pypi/pickleshare@0.7.5	eval, filesystem, unsafe	`0`	19.3 kB	mbussonn, minrk, takowl, ...1 more
pypi/pillow@10.3.0	environment, eval, filesystem, shell, unsafe	`0`	73 MB	aclark, hugovk, radarhere, ...1 more
pypi/platformdirs@4.2.2	environment, shell	`0`	122 kB	Julian, Ofekmeister, ronny
pypi/pluggy@1.5.0	environment, filesystem, network, shell	`0`	232 kB	The_Compiler, flub, goodboy, ...3 more
pypi/prompt-toolkit@3.0.43	environment, eval, filesystem, network, shell	`0`	1.78 MB	jonathan.slenders
pypi/ptyprocess@0.7.0	environment, filesystem	`0`	144 kB	Red_M, luyer, takowl
pypi/pycparser@2.22	environment, eval, filesystem, shell, unsafe	`0`	889 kB	eliben
pypi/pycryptodome@3.20.0	environment, eval, filesystem, network, unsafe	`0`	9.85 MB	Legrandin
pypi/pydantic@2.7.1	environment, eval, filesystem, shell, unsafe	`0`	3.83 MB	samuelcolvin
pypi/pygments@2.18.0	environment, eval, filesystem, network, shell, unsafe	`0`	44.1 MB	Anteru, gbrandl, mitsuhiko
pypi/pymdown-extensions@10.8.1	environment, filesystem, network	`0`	4.73 MB	facelessuser
pypi/pyparsing@3.1.2	environment, eval, filesystem, unsafe	`0`	2.46 MB	ptmcg
pypi/pytest-asyncio@0.23.7	eval, network	`0`	219 kB	Andrew.Svetlov, hpk, m.seifert, ...2 more
pypi/pytest@8.2.1	environment, eval, filesystem, network, shell, unsafe	`0`	5.71 MB	The_Compiler, anatoly, flub, ...4 more

🚮 Removed packages: npm/@openzeppelin/contracts@4.8.1

View full report↗︎

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6 #3

[Snyk] Upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6 #3

snyk-io bot commented May 22, 2024

socket-security bot commented May 22, 2024

[Snyk] Upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6 #3

Are you sure you want to change the base?

[Snyk] Upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6 #3

Conversation

snyk-io bot commented May 22, 2024

Snyk has created this PR to upgrade @openzeppelin/contracts from 4.8.1 to 4.9.6.

socket-security bot commented May 22, 2024