[Snyk] Fix for 34 vulnerabilities #782

leojoy95 · 2023-12-06T06:12:08Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/contractkit/package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
644/1000 Why? Has a fix available, CVSS 8.6	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	Yes	No Known Exploit
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	Yes	Proof of Concept
554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-1014544	Yes	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-2342654	Yes	Proof of Concept
539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
379/1000 Why? Has a fix available, CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/subproviders

The new version differs by 250 commits.

aad2bd4 Publish
ae6753a Updated CHANGELOGS & MD docs
91344c0 Bump CirciCI to nodejs16 ([Snyk] Fix for 1 vulnerabilities #68)
ae232fa Bump CI to node16
b89d468 Cannot run installation against specific package ([Snyk] Fix for 1 vulnerabilities #67)
e003034 fix: Update deps fix ([Snyk] Fix for 1 vulnerabilities #65)
14e5370 empty
27955e3 chore: Update deps ([Snyk] Fix for 3 vulnerabilities #64)
7e7e6dc fix: Fix subprovider tests
dbd0dc0 bump ts
094c081 Bump subprovider deps
3c0bb9e Update @ ethereumjs/common
9d28e7d Unpin merkle-patricia-tree
b543924 Add repository to @ 0x/subproviders
0787b82 Publish
c9009bd Updated CHANGELOGS & MD docs
136b9dd Merge pull request [Snyk] Security upgrade web3 from 1.0.0-beta.37 to 1.6.0 #62 from 0xProject/fix/ethereum-types-linkReferences
c44fb80 make compiler output artifact `linkReferences` optional (for 0.8)
41976dd Publish
e7e2055 Updated CHANGELOGS & MD docs
33ae44c Update publish.yml
343b40d Merge pull request [Snyk] Fix for 4 vulnerabilities #61 from 0xProject/fix/solc-compiler-0.8-support
b80738e update sol-tracing-utils deps
7f28191 appease prettier

See the full diff

Package name: babel-jest

The new version differs by 250 commits.

be16e47 v27.0.0
63102ec chore: update changelog for release
564694a docs(blog): Jest 27 blog post (Increase throughput celo-org/celo-monorepo#11131)
b68d91b feat(pretty-print): add option `printBasicPrototype` (#11441)
2226742 chore: minor simplify format results error (#11432)
78eb25d chore: remove needless assign (#11433)
696c455 chore: update lockfile after publish
e2eb9ae v27.0.0-next.11
3b253f8 Wait for closed resources to actually close before detecting open handles (#11429)
27bee72 fix: run GC before collecting open handles (#11278)
50451df feat: use fallback if prettier not found (#11400)
150dbd8 chore: update lockfile after publish
6f44529 v27.0.0-next.10
cbcec7d Upgrade fsevents in jest-haste-map (#11428)
9633a26 feat: support reporters written in ESM (#11427)
59f42d8 fix: do not cache modules that throw during evaluation (#11263)
57e32e9 Detect open handles with done callbacks (#11382)
a397607 Document and test dontThrow for custom inline snapshot matchers (Soloseng/celo-minting-schedule celo-org/celo-monorepo#10995)
4fa3a0b feat: custom haste (feat(foundry): publish L2 state in @celo/devchain-anvil celo-org/celo-monorepo#11107)
2047a36 chore: bump deps (#11419)
a4358d6 chore: run prettier on changelog
bdd6282 Move all default values into `jest-config` (Current Celo cli cannot approve until 1.3.0.0 Governance.sol is deployed celo-org/celo-monorepo#9924)
db643a1 Link to Jest config (forge test should be all green and exclude e2e tests that require a devchain celo-org/celo-monorepo#11106)
b16082c Fix locale issue Figure out what to do with ASv1 related code celo-org/celo-monorepo#10014 (#11412)

See the full diff

Package name: jest

The new version differs by 250 commits.

75006e4 v29.0.0
7c82a9f chore: update jest-watch-typeahead again
352ff29 chore: update changelog for release
33ad8c3 docs: Jest 29 blog post (#13103)
dda77e5 docs: collapse 28.0 and 28.1 docs (#13104)
c0dc84c chore: update jest-watch-typeahead
05f6217 fix: support deep CJS re-exports when using ESM (#13170)
490fd88 chore: update yarn (#13169)
98936a2 docs: Update Enzyme links to use new URL (#13166)
187566a feat(pretty-format): allow to opt out from sorting object keys with `compareKeys: null` (#12443)
ae2bed7 chore: tweak regex used in e2e tests (#13129)
8c56d74 docs: Update Configuration.md for added special notes on usage scenarios for pnpm. (#13115)
fb1c53d feat(jest-config)!: remove undocumented `collectCoverageOnlyFrom` option (#13156)
075b489 fix: ignore `EISDIR` when resolving symlinks (#13157)
3bef02e feat(@ jest/test-result, @ jest/types)!: replace `Bytes` and `Milliseconds` types with `number` (#13155)
4def94b v29.0.0-alpha.6
0f00d4e fix: replace non-CLI `rimraf` usage (#13151)
6a90a2c fix: Allow updating inline snapshots when test includes JSX (#12760)
983274a feat: Let `babel` find config when updating inline snapshots (#13150)
d2ff18a chore: make prettierPath optional in `SnapshotState` (#13149)
7d8d01c feat(circus): added each to failing tests (#13142)
a5b52a5 chore(types): separate MatcherContext, MatcherUtils and MatcherState (#13141)
79b5e41 chore: get rid of peer dep warning in website
812763d chore: enable 'no-duplicate-imports' (#13138)