Skip to content
This repository has been archived by the owner on Jan 24, 2022. It is now read-only.

npm audit reports High vulnerability in @openzeppelin/[email protected] for dependency elliptic #1578

Open
abcoathup opened this issue Aug 24, 2020 · 0 comments
Open

npm audit reports High vulnerability in @openzeppelin/[email protected] for dependency elliptic #1578

abcoathup opened this issue Aug 24, 2020 · 0 comments

Comments

@abcoathup
Copy link
Contributor

abcoathup commented Aug 24, 2020
edited
Loading

npm audit reports High vulnerability in @openzeppelin/[email protected] for dependency elliptic

NPM Advisory:
https://npmjs.com/advisories/1547

From ethers-io/ethers.js#985

I believe the vulnerability does not affect Ethereum, since adding null-byte padding to the front of anything signed as RLP-data or as an EIP-191 payload, mangles the meaning of its representation.

Reported in the Community Forum: https://forum.openzeppelin.com/t/vulnerabilities-reported-when-installing-openzeppelin-upgrades-via-npm/3614

$ npm i @openzeppelin/upgrades

...

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] No description
npm WARN [email protected] No repository field.

+ @openzeppelin/[email protected]
added 415 packages from 321 contributors and audited 415 packages in 32.604s

6 packages are looking for funding
  run `npm fund` for details

found 564 vulnerabilities (1 low, 563 high)
  run `npm audit fix` to fix them, or `npm audit` for details

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Signature Malleability                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ elliptic                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @openzeppelin/upgrades > ethers > elliptic                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1547                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abcoathup