Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , , , , , , , , , , , , , , , , bip39, bufferutil, emittery, eth-sig-util, leveldown, tmp-promise, utf-8-validate, ws #687

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

X-oss-byte
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@ethereumjs/util
from 8.0.5 to 8.1.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/common
from 3.1.1 to 3.2.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/trie
from 5.0.4 to 5.1.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/tx
from 4.1.1 to 4.2.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/vm
from 6.4.1 to 6.5.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ganache/console.log
from 0.4.0 to 0.4.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-address
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-block
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-options
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-transaction
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-utils
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/options
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/promise-queue
from 0.4.0 to 0.4.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/rlp
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/secp256k1
from 0.5.0 to 0.5.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/utils
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
bip39
from 3.0.4 to 3.1.0 | 1 version ahead of your current version | 2 years ago
on 2023-02-25
bufferutil
from 4.0.5 to 4.0.8 | 3 versions ahead of your current version | a year ago
on 2023-10-15
emittery
from 0.10.0 to 0.13.1 | 7 versions ahead of your current version | 2 years ago
on 2022-08-25
eth-sig-util
from 2.5.3 to 2.5.4 | 1 version ahead of your current version | 4 years ago
on 2021-02-04
leveldown
from 6.1.0 to 6.1.1 | 1 version ahead of your current version | 2 years ago
on 2022-03-25
tmp-promise
from 3.0.2 to 3.0.3 | 1 version ahead of your current version | 3 years ago
on 2021-10-26
utf-8-validate
from 5.0.7 to 5.0.10 | 3 versions ahead of your current version | 2 years ago
on 2022-10-18
ws
from 8.2.3 to 8.18.0 | 24 versions ahead of your current version | 3 months ago
on 2024-07-03

Release notes
Package name: @ethereumjs/util
  • 8.1.0 - 2023-06-20

    EIP-7685 Requests: EIP-6110 (Deposits) / EIP-7002 (Withdrawals) / EIP-7251 (Consolidations)

    This library now supports EIP-6110 deposit requests, see PR #3390, EIP-7002 withdrawal requests, see PR #3385 and EIP-7251 consolidation requests, see PR #3477 as well as the underlying generic execution layer request logic introduced with EIP-7685 (PR #3372).

    These new request types will be activated with the Prague hardfork, see @ ethereumjs/block README for detailed documentation.

    EIP-2935 Serve Historical Block Hashes from State (Prague)

    Starting with this release the VM supports EIP-2935 which stores the latest 256 block hashes in the storage of a system contract, see PR #3475 as the major integrational PR (while work on this has already been done in previous PRs).

    This EIP will be activated along the Prague hardfork. Note that this EIP has no effect on the resolution of the BLOCKHASH opcode, which will be a separate activation taking place by the integration of EIP-7709 in the following Osaka hardfork.

    Verkle Dependency Decoupling

    We have relatively light-heartedly added a new @ ethereumjs/verkle main dependency to the VM/EVM stack in the v7.2.1 release, which added an additional burden to the bundle size by several hundred KB and additionally draws in unnecessary WASM code. Coupling with Verkle has been refactored in PR #3462 and the direct dependency has been removed again.

    An update to this release is therefore strongly recommended even if other fixes or features are not that relevant for you right now.

    Verkle Updates

    • Fixes for Kaustinen4 support, PR #3269
    • Kaustinen5 related fixes, PR #3343
    • Kaustinen6 adjustments, verkle-cryptography-wasm migration, PRs #3355 and #3356
    • Missing beaconroot account verkle fix, PR #3421
    • Remove the hacks to prevent account cleanups of system contracts, PR #3418
    • Updates EIP-2935 tests with the new proposed bytecode and corresponding config, PR #3438
    • Fix EIP-2935 address conversion issues, PR #3447
    • Remove backfill of block hashes on EIP-2935 activation, PR #3478

    Other Features

    • Add evmOpts to the VM opts to allow for options chaining to the underlying EVM, PR #3481
    • Stricter prefixed hex typing, PRs #3348, #3427 and #3357 (some changes removed in PR #3382 for backwards compatibility reasons, will be reintroduced along upcoming breaking releases)

    Other Changes

    • Removes support for EIP-2315 simple subroutines for EVM (deprecated with an alternative version integrated into EOF), PR #3342
    • Small clean-up to VM._emit(), PR #3396
    • Update mcl-wasm Dependency (Esbuild Issue), PR #3461

    Bugfixes

    • Fix block building with blocks including CL requests, PR #3413
    • Ensure system address is not created if it is empty, PR #3400
  • 8.0.6 - 2023-04-24
  • 8.0.5 - 2023-02-27
from @ethereumjs/util GitHub release notes
Package name: @ethereumjs/common
  • 3.2.0 - 2023-06-20
  • 3.1.2 - 2023-04-24
  • 3.1.1 - 2023-02-27
    • Fixes a Transient Storage EIP-1153 bug related to not clearing Transient Storage after creating a contract at tx-level (thanks to @ yann300 ❤️), PR #3643
from @ethereumjs/common GitHub release notes
Package name: @ethereumjs/trie
  • 5.1.0 - 2023-06-20
  • 5.0.5 - 2023-04-24
  • 5.0.4 - 2023-02-27
from @ethereumjs/trie GitHub release notes
Package name: @ethereumjs/tx
  • 4.2.0 - 2023-06-20
  • 4.1.2 - 2023-04-24
  • 4.1.1 - 2023-02-27
from @ethereumjs/tx GitHub release notes
Package name: @ethereumjs/vm
  • 6.5.0 - 2023-06-20
  • 6.4.2 - 2023-04-24
  • 6.4.1 - 2023-02-27
from @ethereumjs/vm GitHub release notes
Package name: @ganache/console.log
  • 0.4.2 - 2023-12-21
  • 0.4.1 - 2023-08-22
  • 0.4.0 - 2023-04-13
from @ganache/console.log GitHub release notes
Package name: @ganache/ethereum-address
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/ethereum-address GitHub release notes
Package name: @ganache/ethereum-block
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/ethereum-block GitHub release notes
Package name: @ganache/ethereum-options
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/ethereum-options GitHub release notes
Package name: @ganache/ethereum-transaction
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/ethereum-transaction GitHub release notes
Package name: @ganache/ethereum-utils
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/ethereum-utils GitHub release notes
Package name: @ganache/options
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/options GitHub release notes
Package name: @ganache/promise-queue
  • 0.4.2 - 2023-12-21
  • 0.4.1 - 2023-08-22
  • 0.4.0 - 2022-12-15
from @ganache/promise-queue GitHub release notes
Package name: @ganache/rlp
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/rlp GitHub release notes
Package name: @ganache/secp256k1
  • 0.5.2 - 2023-12-21
  • 0.5.1 - 2023-08-22
  • 0.5.0 - 2022-12-15
from @ganache/secp256k1 GitHub release notes
Package name: @ganache/utils
  • 0.9.2 - 2023-12-21
  • 0.9.1 - 2023-08-22
  • 0.9.0 - 2023-07-05
  • 0.8.0 - 2023-04-13
from @ganache/utils GitHub release notes
Package name: bip39 from bip39 GitHub release notes
Package name: bufferutil from bufferutil GitHub release notes
Package name: emittery from emittery GitHub release notes
Package name: eth-sig-util
  • 2.5.4 - 2021-02-04

    Changed

    • Update ethereumjs-abi (#121)
    • Remove unused dependencies (#120)
    • Update minimum tweetnacl to latest version (#124)
  • 2.5.3 - 2020-03-16

    2.5.3

from eth-sig-util GitHub release notes
Package name: leveldown from leveldown GitHub release notes
Package name: tmp-promise
  • 3.0.3 - 2021-10-26
  • 3.0.2 - 2020-05-10

    update dependencies, add publish script, use strict mode

from tmp-promise GitHub release notes
Package name: utf-8-validate from utf-8-validate GitHub release notes
Package name: ws
  • 8.18.0 - 2024-07-03

    Features

    • Added support for Blob (#2229).
  • 8.17.1 - 2024-06-16

    Bug fixes

    • Fixed a DoS vulnerability (#2231).

    A request with a number of headers exceeding theserver.maxHeadersCount
    threshold could be used to crash a ws server.

    const http = require('http');
    const WebSocket = require('ws');

    const wss = new WebSocket.Server({ port: 0 }, function () {
    const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
    const headers = {};
    let count = 0;

    for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">j</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">j</span> <span class="pl-c1">&lt;</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">j</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
      <span class="pl-k">const</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span> <span class="pl-c1">+</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">j</span><span class="pl-kos">]</span><span class="pl-kos">;</span>
      <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'x'</span><span class="pl-kos">;</span>
    
      <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">++</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span>
    <span class="pl-kos">}</span>
    

    }

    headers.Connection = 'Upgrade';
    headers.Upgrade = 'websocket';
    headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
    headers['Sec-WebSocket-Version'] = '13';

    const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
    });

    request.end();
    });

    The vulnerability was reported by Ryan LaPointe in #2230.

    In vulnerable versions of ws, the issue can be mitigated in the following ways:

    1. Reduce the maximum allowed length of the request headers using the
      --max-http-header-size=size and/or the maxHeaderSize options so
      that no more headers than the server.maxHeadersCount limit can be sent.
    2. Set server.maxHeadersCount to 0 so that no limit is applied.
  • 8.17.0 - 2024-04-28

    Features

    • The WebSocket constructor now accepts the createConnection option (#2219).

    Other notable changes

    • The default value of the allowSynchronousEvents option has been changed to
      true (#2221).

    This is a breaking change in a patch release. The assumption is that the option
    is not widely used.

  • 8.16.0 - 2023-12-26

    Features

    • Added the autoPong option (01ba54e).
  • 8.15.1 - 2023-12-12

    Notable changes

    • The allowMultipleEventsPerMicrotask option has been renamed to
      allowSynchronousEvents (4ed7fe5).

    This is a breaking change in a patch release that could have been avoided with
    an alias, but the renamed option was added only 3 days ago, so hopefully it
    hasn't already been widely used.

  • 8.15.0 - 2023-12-09

    Features

    • Added the allowMultipleEventsPerMicrotask option (93e3552).
  • 8.14.2 - 2023-09-19

    Bug fixes

    • Fixed an issue that allowed errors thrown by failed assertions to be
      swallowed when running tests (7f4e1a7).
  • 8.14.1 - 2023-09-08
  • 8.14.0 - 2023-09-06
  • 8.13.0 - 2023-03-10
  • 8.12.1 - 2023-02-13
  • 8.12.0 - 2023-01-07
  • 8.11.0 - 2022-11-06
  • 8.10.0 - 2022-10-24
  • 8.9.0 - 2022-09-22
  • 8.8.1 - 2022-07-15
  • 8.8.0 - 2022-06-09
  • 8.7.0 - 2022-05-26
  • 8.6.0 - 2022-05-01
  • 8.5.0 - 2022-02-07
  • 8.4.2 - 2022-01-14
  • 8.4.1 - 2022-01-13
  • 8.4.0 - 2021-12-20
  • 8.3.0 - 2021-11-23
  • 8.2.3 - 2021-10-02
from ws GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade:
  - @ethereumjs/util from 8.0.5 to 8.1.0.
    See this package in npm: https://www.npmjs.com/package/@ethereumjs/util
  - @ethereumjs/common from 3.1.1 to 3.2.0.
    See this package in npm: https://www.npmjs.com/package/@ethereumjs/common
  - @ethereumjs/trie from 5.0.4 to 5.1.0.
    See this package in npm: https://www.npmjs.com/package/@ethereumjs/trie
  - @ethereumjs/tx from 4.1.1 to 4.2.0.
    See this package in npm: https://www.npmjs.com/package/@ethereumjs/tx
  - @ethereumjs/vm from 6.4.1 to 6.5.0.
    See this package in npm: https://www.npmjs.com/package/@ethereumjs/vm
  - @ganache/console.log from 0.4.0 to 0.4.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/console.log
  - @ganache/ethereum-address from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/ethereum-address
  - @ganache/ethereum-block from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/ethereum-block
  - @ganache/ethereum-options from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/ethereum-options
  - @ganache/ethereum-transaction from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/ethereum-transaction
  - @ganache/ethereum-utils from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/ethereum-utils
  - @ganache/options from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/options
  - @ganache/promise-queue from 0.4.0 to 0.4.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/promise-queue
  - @ganache/rlp from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/rlp
  - @ganache/secp256k1 from 0.5.0 to 0.5.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/secp256k1
  - @ganache/utils from 0.8.0 to 0.9.2.
    See this package in npm: https://www.npmjs.com/package/@ganache/utils
  - bip39 from 3.0.4 to 3.1.0.
    See this package in npm: https://www.npmjs.com/package/bip39
  - bufferutil from 4.0.5 to 4.0.8.
    See this package in npm: https://www.npmjs.com/package/bufferutil
  - emittery from 0.10.0 to 0.13.1.
    See this package in npm: https://www.npmjs.com/package/emittery
  - eth-sig-util from 2.5.3 to 2.5.4.
    See this package in npm: https://www.npmjs.com/package/eth-sig-util
  - leveldown from 6.1.0 to 6.1.1.
    See this package in npm: https://www.npmjs.com/package/leveldown
  - tmp-promise from 3.0.2 to 3.0.3.
    See this package in npm: https://www.npmjs.com/package/tmp-promise
  - utf-8-validate from 5.0.7 to 5.0.10.
    See this package in npm: https://www.npmjs.com/package/utf-8-validate
  - ws from 8.2.3 to 8.18.0.
    See this package in npm: https://www.npmjs.com/package/ws

See this project in Snyk:
https://app.snyk.io/org/sammyfilly/project/ba8f6d70-d118-41d9-b658-68f101b5959d?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

stackblitz bot commented Sep 19, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

Copy link

changeset-bot bot commented Sep 19, 2024

⚠️ No Changeset found

Latest commit: 918cf1e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants