[Snyk] Fix for 23 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/contractkit/package.json
  • packages/contractkit/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-DATEANDTIME-1054430	Yes	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-JSONBIGINT-608659	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jest

The new version differs by 22 commits.

• ff9269b chore: bump most dated deps (Add contractkit function to return CIP8 storage roots array celo-org/celo-monorepo#8850)
• 7594141 chore: upgrade to eslint@6 (Reduce Attestation On-call Burden celo-org/celo-monorepo#8855)
• b33ce0d chore: upgrade to micromatch v4 (Celo: <Issue Title>Wrong Transiotion and wrong addressed celo-org/celo-monorepo#8852)
• d6ff72a chore: add node 12 to CI (Deliver frozen audit 51 scope to OpenZeppelin celo-org/celo-monorepo#8411)
• 7e9b4ea chore: upgrade jsdom ([on-call] look into discrepancy between validator AS dashboards celo-org/celo-monorepo#8851)
• 4bb7a2d Use `weak-napi` instead of `weak` in `jest-leak-detector`
• ce47c6c Get rid of Node 6 support (Investigate Economic Test and Documentation Coverage celo-org/celo-monorepo#8455)
• bc5c3c7 jest-snapshot: Remove only the added newlines in multiline snapshots (Add signature verification code for CIP-40 requests celo-org/celo-monorepo#8859)
• d523fa8 bug.md: highlights placeholder should be removed (Fix bug in signature parsing for EIP712TypedData celo-org/celo-monorepo#8836)
• 08f109c expect: Display expectedDiff more carefully in toBeCloseTo (Merge release 5 to master celo-org/celo-monorepo#8389)
• b09de2d chore: bump node-notifier for node v6 support
• 557a39f fix(linter): Fix linting failure introduced in Provide security guidance for ODIS key celo-org/celo-monorepo#8847 😓 (Exclude phoenix metrics in grafana cloud celo-org/celo-monorepo#8849)
• 012472b fix(docs): Update broken links in docs. (Provide security guidance for ODIS key celo-org/celo-monorepo#8847)
• ee2bea1 chore: sort member in imports (Set vulnerable dependency to fixed version celo-org/celo-monorepo#8846)
• 9ba4594 add Chinese Jest work with AngularJS tutorial (LockedGold.slash() should only payout to reporters who are registered on Accounts celo-org/celo-monorepo#8828)
• 0e5b363 chore: reduce reliance on esModuleInterop ([Valora] Investigate Methods for identifying for Merchant Payments and Mirror Refunds in Valora Feed celo-org/celo-monorepo#8842)
• d69f8d3 getTimerCount will not include cancelled immediates (Code cleanup celo-org/celo-monorepo#8764)
• b4bd77b Fix grammar: "your jest's config"->"your Jest..." ([Valora] Show copy to indicate merchant payments and refunds in Transaction Feed celo-org/celo-monorepo#8843)
• 54b3dcf Fix grammar: "a known issues"->"a known issue" (Figure out how Wallets Recognize a Mirror Transaction as a Merchant Refund celo-org/celo-monorepo#8844)
• e76c7da docs: update matchMedia methods (Add Result type guards celo-org/celo-monorepo#8835)
• 23b9860 chore: roll new version of docs
• 3cdbd55 Release 24.9.0

See the full diff

Package name: ts-jest

The new version differs by 165 commits.

• ad58c9b chore(release): 25.3.0
• 949e3e1 chore: update package-lock.json
• b8ebf36 docs: add Troubleshoting section ([Wallet] Upgrade app version to v1.5.1 celo-org/celo-monorepo#1463)
• 8b5325e chore(transformer): only do type checking for js/jsx/ts/tsx file (Set usage of shuffled round robin in the genesis block celo-org/celo-monorepo#1464)
• 58b05b1 chore: replace travis-ci.org with travis-ci.com (Point end-to-end tests back to master celo-org/celo-monorepo#1469)
• 79e8fdf build(deps-dev): bump jest from 25.2.3 to 25.2.4 (Validate Attestation Requests celo-org/celo-monorepo#1468)
• dddce1c build(deps-dev): bump @ jest/transform from 25.2.3 to 25.2.4 (Allow a specified address to disable/enable the Exchange  celo-org/celo-monorepo#1467)
• d811bae build(deps-dev): bump lint-staged from 10.0.9 to 10.0.10 (Aaronmgdr/airtable upgrade celo-org/celo-monorepo#1466)
• ecc8312 build(deps-dev): bump @ types/react from 16.9.26 to 16.9.27 (Added txpool family to geth apis. Sorted geth cmd options celo-org/celo-monorepo#1462)
• c10ad4a chore(compiler): improve performance for language service (Application crashes when changing the local currency celo-org/celo-monorepo#1461)
• 455ee5b build(deps-dev): bump @ jest/transform from 25.2.1 to 25.2.3 ( [iOS] Sorry something went wrong is shown when user taps on Licenses option from the setting celo-org/celo-monorepo#1459)
• 1641cfb build(deps-dev): bump jest from 25.2.2 to 25.2.3 ([iOS,Android] Error “Failure sending invite” is shown when user send an invitation via SMS.  celo-org/celo-monorepo#1460)
• 3010ec8 build(deps-dev): bump @ jest/types from 25.2.1 to 25.2.3 (Minor UI issues in the new backup flow on iOS celo-org/celo-monorepo#1458)
• 26a81f0 build(deps-dev): bump @ types/react from 16.9.25 to 16.9.26 (Tapping the text next to the toggle in the new backup flow should toggle it celo-org/celo-monorepo#1457)
• 99c552d build(deps-dev): bump jest from 25.2.1 to 25.2.2 ([iOS] Continues Loading indicator is shown on “Reclaim Payment” screen when user navigate back to “Reclaim Payment” screen from “Enter PIN” screen without entering PIN.  celo-org/celo-monorepo#1455)
• 5214f1b build(deps): bump yargs-parser from 18.1.1 to 18.1.2 ( [iOS] Celo Gold amount is cut from bottom on “Exchange” page while user exchanging the cUSD to cGLD.  celo-org/celo-monorepo#1456)
• 79478ae build(deps-dev): bump tslint-plugin-prettier from 2.2.0 to 2.3.0 ([Wallet] Prevent error from Avatar when name is missing celo-org/celo-monorepo#1454)
• 107e062 fix: always do type check for all files provided to ts-jest transformer (Upgrading a testnet without resetting should not init with a new genesis file celo-org/celo-monorepo#1450)
• 1e34075 build(deps-dev): bump @ jest/types from 25.2.0 to 25.2.1 ([Wallet] Use new segment api keys used by both iOS and Android celo-org/celo-monorepo#1452)
• ba5a6c4 build(deps-dev): bump @ jest/transform from 25.2.0 to 25.2.1 (Analytics should be reported from the iOS app celo-org/celo-monorepo#1451)
• e857f5b build(deps-dev): bump jest from 25.2.0 to 25.2.1 ([Wallet] Show splash screen until JS is ready on iOS celo-org/celo-monorepo#1453)
• 4981da8 Merge pull request EU Cookies Behavior Change celo-org/celo-monorepo#1447 from kulshekhar/dependabot/npm_and_yarn/jest/types-25.2.0
• ea8240a Merge pull request Move from let's encrypt v1 API to v2; kube-lego to cert-manager celo-org/celo-monorepo#1448 from kulshekhar/dependabot/npm_and_yarn/jest/transform-25.2.0
• e50db11 build(deps-dev): bump @ jest/types from 25.1.0 to 25.2.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn