[Snyk] Upgrade: , dotenv, hardhat-contract-sizer, solidity-coverage #31
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
@openzeppelin/contracts-upgradeable
from 4.7.3 to 4.9.6 | 16 versions ahead of your current version | 6 months ago
on 2024-02-29
dotenv
from 16.0.1 to 16.4.5 | 19 versions ahead of your current version | 7 months ago
on 2024-02-20
hardhat-contract-sizer
from 2.6.1 to 2.10.0 | 4 versions ahead of your current version | a year ago
on 2023-06-13
solidity-coverage
from 0.7.21 to 0.8.12 | 22 versions ahead of your current version | 5 months ago
on 2024-04-05
Issues fixed by the recommended upgrade:
SNYK-JS-WS-7266574
SNYK-JS-BROWSERIFYSIGN-6037026
SNYK-JS-ES5EXT-6095076
SNYK-JS-PATHTOREGEXP-7925106
SNYK-JS-HTTPCACHESEMANTICS-3248783
SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425052
SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5711903
SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5838353
SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-6346764
SNYK-JS-REQUEST-3361831
SNYK-JS-TAR-6476909
SNYK-JS-TOUGHCOOKIE-5672873
SNYK-JS-WS-1296835
SNYK-JS-COOKIEJAR-3149984
SNYK-JS-EXPRESS-6474509
SNYK-JS-GOT-2932019
SNYK-JS-GOT-2932019
SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425826
SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5672117
SNYK-JS-WEB3-174533
Release notes
Package name: @openzeppelin/contracts-upgradeable
Base64
: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4926)Multicall
: Patch duplicatedAddress.functionDelegateCall
.ERC2771Context
andContext
: Introduce a_contextPrefixLength()
getter, used to trim extra information appended tomsg.data
.Multicall
: Make aware of non-canonical context (i.e.msg.sender
is not_msgSender()
), allowing compatibility withERC2771Context
.ERC2771Context
: Return the forwarder address whenever themsg.data
of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e.msg.data.length
is less than 20 bytes), as specified by ERC-2771. (#4481)ERC2771Context
: Prevent revert in_msgData()
when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e.msg.data.length
is less than 20 bytes). Return the full calldata in that case. (#4484)Package name: dotenv
16.4.5
16.4.4
16.4.3
16.4.2
16.4.1
16.4.0
16.3.2
16.3.1
16.3.0
16.2.0
Package name: solidity-coverage
What's Changed
hardhat-viem
plugin. If you're using viem, run the coverage task with:require
statement and the terminating semi-colonPRs
require
and terminating;
by @ cgewecke in #884extendConfig
changes in README by @ cgewecke in #885Full Changelog: v0.8.11...v0.8.12
Summary
0.8.11 fixes a(nother) bug that resulted in some line hits remaining undetected when compiling with viaIR=true
What's Changed
Full Changelog: v0.8.10...v0.8.11
Summary
0.8.10 fixes a bug that resulted in some line hits remaining undetected when compiling with
viaIR=true
What's Changed
Full Changelog: v0.8.9...v0.8.10
What's Changed
Full Changelog: v0.8.8...v0.8.9
What's Changed
Install
Full Changelog: v0.8.7...v0.8.8
What's Changed
viaIR
now allowedThis release (hopefully) fixes a long-running problem solidity-coverage had with solc's
viaIR
compilation mode - It's now possible to use it without any special configuration. (Please report any ongoing issues with this to issue #861)If you've been using
.solcover.js
options likeconfigureYulOptimizer
andsolcOptimizerDetails
as a work around, you should remove them when upgrading. (Don't forget to run the hardhat clean task after updating any coverage config stuff).--network
no longer allowedSadly the ganache client has been deprecated. The coverage plugin never worked with its latest major version and the
network
flag only existed for its sake. Going forward, thenetwork
option throws an error notifying the user that coverage only uses the HardhatEVM network.--sources
cli optionYou can now select a single file (or folder) at the command line to generate coverage for. This option should speed things up if you've been waiting for the plugin to instrument everything in a large project whenever you run the command.
(Thanks so much @ clauBv23 for adding this!)
Funding
OpenZeppelin has very generously funded recent work at solidity-coverage via DRIPS, a public goods protocol which helps you direct money to projects in your dependency tree. Thanks so much! ❤️
Links to relevant PRs
onPreCompile
stage hook by @ cgewecke in #851viaIR
compiler flag is true by @ cgewecke in #854Full Changelog: v0.8.6...v0.8.7
What's Changed
Fixes
Documentation
viaIR
optimizer config workaround by @ remedcu in #822check-coverage
cli command by @ cgewecke in #834Dependencies
Misc
New Contributors
Full Changelog: v0.8.5...v0.8.6
What's Changed
.solcoverjs
occurencies to.solcover.js
by @ joaoh9 in #777New Contributors
Full Changelog: v0.8.4...v0.8.5
What's Changed
New Contributors
Full Changelog: v0.8.2...v0.8.4
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"","from":"openzeppelin/contracts-upgradeable","to":"openzeppelin/contracts-upgradeable"},{"name":"dotenv","from":"16.0.1","to":"16.4.5"},{"name":"hardhat-contract-sizer","from":"2.6.1","to":"2.10.0"},{"name":"solidity-coverage","from":"0.7.21","to":"0.8.12"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-7266574","issue_id":"SNYK-JS-WS-7266574","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Denial of Service (DoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-BROWSERIFYSIGN-6037026","issue_id":"SNYK-JS-BROWSERIFYSIGN-6037026","priority_score":589,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ES5EXT-6095076","issue_id":"SNYK-JS-ES5EXT-6095076","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-PATHTOREGEXP-7925106","issue_id":"SNYK-JS-PATHTOREGEXP-7925106","priority_score":738,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.9","score":345},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-HTTPCACHESEMANTICS-3248783","issue_id":"SNYK-JS-HTTPCACHESEMANTICS-3248783","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425052","issue_id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425052","priority_score":554,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.8","score":340},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper Input Validation"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5711903","issue_id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5711903","priority_score":479,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper Input Validation"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5838353","issue_id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5838353","priority_score":479,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper Encoding or Escaping of Output"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-6346764","issue_id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-6346764","priority_score":479,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Out-of-bounds Read"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-REQUEST-3361831","issue_id":"SNYK-JS-REQUEST-3361831","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Server-side Request Forgery (SSRF)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TAR-6476909","issue_id":"SNYK-JS-TAR-6476909","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Uncontrolled Resource Consumption ('Resource Exhaustion')"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TOUGHCOOKIE-5672873","issue_id":"SNYK-JS-TOUGHCOOKIE-5672873","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Prototype Pollution"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-1296835","issue_id":"SNYK-JS-WS-1296835","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-COOKIEJAR-3149984","issue_id":"SNYK-JS-COOKIEJAR-3149984","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-EXPRESS-6474509","issue_id":"SNYK-JS-EXPRESS-6474509","priority_score":519,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.1","score":305},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-GOT-2932019","issue_id":"SNYK-JS-GOT-2932019","priority_score":484,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.4","score":270},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-GOT-2932019","issue_id":"SNYK-JS-GOT-2932019","priority_score":484,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.4","score":270},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425826","issue_id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425826","priority_score":399,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"3.7","score":185},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Denial of Service (DoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5672117","issue_id":"SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5672117","priority_score":399,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"3.7","score":185},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Missing Authorization"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-WEB3-174533","issue_id":"SNYK-JS-WEB3-174533","priority_score":379,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"3.3","score":165},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Insecure Credential Storage"}],"prId":"cab39615-7cb2-4d99-b92f-11be8ec70452","prPublicId":"cab39615-7cb2-4d99-b92f-11be8ec70452","packageManager":"npm","priorityScoreList":[696,589,696,738,586,554,479,479,479,646,646,646,586,586,519,484,399,399,379],"projectPublicId":"c8db6975-f9ad-4b1f-b5e8-94654e147c9d","projectUrl":"https://app.snyk.io/org/muisance/project/c8db6975-f9ad-4b1f-b5e8-94654e147c9d?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-WS-7266574","SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-ES5EXT-6095076","SNYK-JS-PATHTOREGEXP-7925106","SNYK-JS-HTTPCACHESEMANTICS-3248783","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425052","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5711903","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5838353","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-6346764","SNYK-JS-REQUEST-3361831","SNYK-JS-TAR-6476909","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-WS-1296835","SNYK-JS-COOKIEJAR-3149984","SNYK-JS-EXPRESS-6474509","SNYK-JS-GOT-2932019","SNYK-JS-GOT-2932019","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425826","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5672117","SNYK-JS-WEB3-174533"],"upgradeInfo":{"versionsDiff":16,"publishedDate":"2024-02-29T17:36:55.865Z"},"vulns":["SNYK-JS-WS-7266574","SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-ES5EXT-6095076","SNYK-JS-PATHTOREGEXP-7925106","SNYK-JS-HTTPCACHESEMANTICS-3248783","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425052","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5711903","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5838353","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-6346764","SNYK-JS-REQUEST-3361831","SNYK-JS-TAR-6476909","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-WS-1296835","SNYK-JS-COOKIEJAR-3149984","SNYK-JS-EXPRESS-6474509","SNYK-JS-GOT-2932019","SNYK-JS-GOT-2932019","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5425826","SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5672117","SNYK-JS-WEB3-174533"]}'