Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Brandylee24
Copy link
Owner

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • examples/web3-onboard-demo/package.json
    • examples/web3-onboard-demo/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 131/1000
Why? Confidentiality impact: Low, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 6, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.03, Likelihood: 1.86, Score Version: V5
Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-8172694
Yes No Known Exploit
high severity 170/1000
Why? Confidentiality impact: None, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.83, Score Version: V5
Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-8187303
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @coinbase/wallet-sdk The new version differs by 39 commits.

See the full diff

Package name: @web3-onboard/coinbase The new version differs by 250 commits.
  • a9e91d2 Merge pull request #1830 from blocknative/release/2.24.4
  • 862669f Merge branch 'develop' into release/2.24.4
  • 9388959 Merge in latest develop
  • cc4b8b0 Bump fast-xml-parser from 4.2.4 to 4.2.5 in /docs (#1828)
  • 05c7853 Merge in latest develop and test
  • 8ce7e6f Update to latest vite and test
  • c2a8de8 Bump semver from 6.3.0 to 6.3.1 in /examples/with-ledger (#1827)
  • 452d942 Bump @ antfu/utils from 0.7.2 to 0.7.4 in /docs (#1753)
  • 24f2d5c Bump vite from 4.3.5 to 4.3.9 in /docs (#1757)
  • 92da953 Bump fast-xml-parser from 4.2.2 to 4.2.4 in /docs (#1761)
  • 63ca515 Bump semver from 6.3.0 to 6.3.1 in /examples/with-vuejs-v2 (#1826)
  • bcc4be3 Bump semver from 6.3.0 to 6.3.1 in /examples/with-nextjs (#1825)
  • 667b753 feat: update dappauth lib for compatibility (#1781)
  • 009fcd3 Merge branch 'docs' into release/2.24.4
  • f1640bc Merge branch 'main' into release/2.24.4
  • 637db65 Update docs for WC implementation
  • 4e8f66c Update Wallet Connect V2 for vite example (#1802)
  • 7cc952f Fix: Add WC validation for props, add prop to handle MetaMask usage through WC, Bump Coinbase sdk version (#1822)
  • aef4362 Merge pull request #1814 from blocknative/release/2.24.3
  • b2fa704 Merge pull request #1812 from blocknative/release/2.24.3
  • 31583e3 Merge pull request #1813 from blocknative/release/2.24.3
  • 8fd2751 Merge branch 'docs' into release/2.24.3
  • 2302d67 Merge branch 'main' into release/2.24.3
  • 83fe1f6 Remove alpha flags from docs and demo

See the full diff

Package name: @web3-onboard/core The new version differs by 250 commits.
  • 0ea0fed Merge pull request #2214 from blocknative/release/2.26.0
  • 419e8bc Remove unuse dimport
  • dc7993a Merge in develop
  • 820fb38 Fix upstream handling of number chain Ids by adding a check to the chainChanged listener (#2216)
  • b01537a Remove log
  • 1778aa0 Update docs versions
  • 152960e Update versions for release
  • de391b5 Merge branch 'docs' into release/2.26.0
  • 8785823 Merge branch 'main' into release/2.26.0
  • baf9120 Remove alpha.1 flags
  • d68c0ed Update hw-wallet packages for type alignment (#2211)
  • 89cd237 Fix - Core import of wagmi module version (#2210)
  • e00ef35 Update wagmi usage docs (#2207)
  • 4bcdc19 Add sunset warnings to tx preview (#2205)
  • 3fcee26 Fix wagmi versioning (#2206)
  • 0fdd0ac Feature - Replace internal Ethers functionality with Viem - Add WAGMI support module (#2203)
  • 15af477 Merge pull request #2202 from blocknative/wc/bump_deps
  • b0f69e4 Update WC versions
  • d8dd346 Merge pull request #2201 from blocknative/release/2.25.7
  • 0fe8cb4 Merge pull request #2199 from blocknative/release/2.25.7
  • 9b780b9 Merge pull request #2200 from blocknative/release/2.25.7
  • 3ed7965 commit MM fix and yarn docs
  • 9f69fce Merge in docs
  • 2c6153b Update versions for release

See the full diff

Package name: @web3-onboard/walletconnect The new version differs by 250 commits.
  • 0ea0fed Merge pull request #2214 from blocknative/release/2.26.0
  • 419e8bc Remove unuse dimport
  • dc7993a Merge in develop
  • 820fb38 Fix upstream handling of number chain Ids by adding a check to the chainChanged listener (#2216)
  • b01537a Remove log
  • 1778aa0 Update docs versions
  • 152960e Update versions for release
  • de391b5 Merge branch 'docs' into release/2.26.0
  • 8785823 Merge branch 'main' into release/2.26.0
  • baf9120 Remove alpha.1 flags
  • d68c0ed Update hw-wallet packages for type alignment (#2211)
  • 89cd237 Fix - Core import of wagmi module version (#2210)
  • e00ef35 Update wagmi usage docs (#2207)
  • 4bcdc19 Add sunset warnings to tx preview (#2205)
  • 3fcee26 Fix wagmi versioning (#2206)
  • 0fdd0ac Feature - Replace internal Ethers functionality with Viem - Add WAGMI support module (#2203)
  • 15af477 Merge pull request #2202 from blocknative/wc/bump_deps
  • b0f69e4 Update WC versions
  • d8dd346 Merge pull request #2201 from blocknative/release/2.25.7
  • 0fe8cb4 Merge pull request #2199 from blocknative/release/2.25.7
  • 9b780b9 Merge pull request #2200 from blocknative/release/2.25.7
  • 3ed7965 commit MM fix and yarn docs
  • 9f69fce Merge in docs
  • 2c6153b Update versions for release

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

…demo/package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8172694
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants