Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency web3-utils to v4 [security] #203

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 26, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
web3-utils 1.10.4 -> 4.2.1 age adoption passing confidence
web3-utils ^1.10.0 -> ^4.0.0 age adoption passing confidence
web3-utils ^1.10.4 -> ^4.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-21505

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.


web3-utils Prototype Pollution vulnerability

CVE-2024-21505 / GHSA-87qp-7cw8-8q9c

More information

Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

ChainSafe/web3.js (web3-utils)

v4.2.1

Compare Source

Fixed
web3-eth-abi
  • Bug fix of ERR_UNSUPPORTED_DIR_IMPORT in ABI (#​6535)
Changed
web3-eth-contract
  • Dependencies updated
web3-eth
  • Dependencies updated
web3-eth-ens
  • Dependencies updated
web3-eth-personal
  • Dependencies updated

v4.2.0

Compare Source

Added
web3
  • Various web3 sub packages has new functions details are in root changelog
web3-eth
  • Added ALL_EVENTS and ALL_EVENTS_ABI constants, SendTransactionEventsBase type, decodeEventABI method (#​6410)
web3-eth-accounts
  • Added public function privateKeyToPublicKey
  • Added exporting BaseTransaction from the package (#​6493)
  • Added exporting txUtils from the package (#​6493)
web3-types
  • Interface EventLog was added. (#​6410)
web3-utils
  • As a replacment of the node EventEmitter, a custom EventEmitter has been implemented and exported. (#​6398)
Fixed
web3-core
  • Fix the issue: "Uncaught TypeError: Class extends value undefined is not a constructor or null #​6371". (#​6398)
web3-errors
  • Added new SchemaFormatError (#​6434)
web3-eth
  • Ensure provider.supportsSubscriptions exists before watching by subscription (#​6440)
  • Fixed param sent to checkRevertBeforeSending in sendSignedTransaction
  • Fixed defaultTransactionBuilder for value issue (#​6509)
web3-eth-abi
  • Fix issue with default config with babel (and React): "TypeError: Cannot convert a BigInt value to a number #​6187" (#​6506)
web3-eth-accounts
  • Fixed recover function, v will be normalized to value 0,1 (#​6344)
web3-providers-http
web3-providers-ipc
  • Fixed bug in chunks processing logic (#​6496)
web3-providers-ws
  • Fixed bug in chunks processing logic (#​6496)
web3-utils
  • Fix issue with default config with babel (and React): "TypeError: Cannot convert a BigInt value to a number #​6187" (#​6506)
  • Fixed bug in chunks processing logic (#​6496)
web3-validator
  • Multi-dimensional arrays are now handled properly when parsing ABIs (#​6435)
  • Fix issue with default config with babel (and React): "TypeError: Cannot convert a BigInt value to a number #​6187" (#​6506)
  • Validator will now properly handle all valid numeric type sizes: intN / uintN where 8 <= N <= 256 and N % 8 == 0 (#​6434)
  • Will now throw SchemaFormatError when unsupported format is passed to convertToZod method (#​6434)
Changed
web3
  • Dependencies updated
web3-core
  • defaultTransactionType is now type 0x2 instead of 0x0 (#​6282)
  • Allows formatter to parse large base fee (#​6456)
  • The package now uses EventEmitter from web3-utils that works in node envrioment as well as in the browser. (#​6398)
web3-eth
  • Transactions will now default to type 2 transactions instead of type 0, similar to 1.x version. (#​6282)
web3-eth-contract
  • The events property was added to the receipt object (#​6410)
web3-eth-ens
  • Dependencies updated
web3-eth-iban
  • Dependencies updated
web3-eth-personal
  • Dependencies updated
web3-net
  • Dependencies updated
web3-providers-http
  • Bump cross-fetch to version 4 (#​6463).
web3-rpc-methods
  • Dependencies updated

v4.1.1

Compare Source

Added
web3
  • To fix issue #​6190, added the functionality to introduce different timeout value for Web3. (#​6336)
web3-core
  • To fix issue #​6190, added the functionality to introduce different timeout value for Web3. (#​6336)
web3-eth-contract
  • In case of error events there will be inner error also available for details
Fixed
web3-eth
  • Added return type for formatSubscriptionResult in class NewHeadsSubscription (#​6368)
web3-core
  • Fixed rpc errors not being sent as an inner error when using the send method on request manager (#​6300).
web3-errors
web3-eth-contract
  • Fixed bug in contract.events.allEvents
web3-validator
Changed
web3-eth-abi
  • Dependencies updated
web3-eth-accounts
  • Dependencies updated
web3-eth-ens
  • Dependencies updated
web3-eth-iban
  • Dependencies updated
web3-eth-personal
  • Dependencies updated
web3-net
  • Dependencies updated
web3-providers-http
  • Dependencies updated
web3-providers-ipc
  • Dependencies updated
web3-providers-ws
  • Dependencies updated
web3-rpc-methods
  • Dependencies updated
web3-types
  • Dependencies updated
web3-utils
  • Dependencies updated

v4.1.0

Compare Source

Added
web3
  • Added minimum support of web3.extend function
web3-core
  • Added minimum support of web3.extend function
web3-errors
  • RpcErrorMessages that contains mapping for standard RPC Errors and their messages. (#​6230)
  • created TransactionGasMismatchInnerError for clarity on the error in TransactionGasMismatchError (#​6215)
  • created MissingGasInnerError for clarity on the error in MissingGasError (#​6215)
web3-eth
  • A rpc_method_wrapper (signTypedData) for the rpc calls eth_signTypedData and eth_signTypedData_v4 (#​6286)
  • A signTypedData method to the Web3Eth class (#​6286)
web3-eth-abi
  • A getEncodedEip712Data method that takes an EIP-712 typed data object and returns the encoded data with the option to also keccak256 hash it (#​6286)
web3-rpc-methods
  • A signTypedData method to eth_rpc_methods for the rpc calls eth_signTypedData and eth_signTypedData_v4 (#​6286)
web3-types
  • eth_signTypedData and eth_signTypedData_v4 to web3_eth_execution_api (#​6286)
  • Eip712TypeDetails and Eip712TypedData to eth_types (#​6286)
web3-validator
  • Added json-schema as a main json schema type (#​6264)
Fixed
web3-core
  • Fixed the issue: "Version 4.x does not fire connected event for subscriptions. #​6252". (#​6262)
web3-errors
  • Fixed: "'disconnect' in Eip1193 provider must emit ProviderRpcError #​6003".(#​6230)
web3-eth
  • sendTransaction will have gas filled by default using method estimateGas unless transaction builder options.fillGas is false. (#​6249)
  • Missing blockHeaderSchema properties causing some properties to not appear in response of newHeads subscription (#​6243)
  • Missing blockHeaderSchema properties causing some properties to not appear in response of newHeads subscription (#​6243)
web3-providers-ws
Changed
web3-core
  • No need to pass CommonSubscriptionEvents & at every child class of Web3Subscription (#​6262)
  • Implementation of _processSubscriptionResult and _processSubscriptionError has been written in the base class Web3Subscription and maid public. (#​6262)
  • A new optional protected method formatSubscriptionResult could be used to customize data formatting instead of re-implementing _processSubscriptionResult. (#​6262)
  • No more needed to pass CommonSubscriptionEvents & for the first generic parameter of Web3Subscription when inheriting from it. (#​6262)
web3-eth
  • MissingGasError error message changed for clarity (#​6215)
  • input and data are no longer auto populated for transaction objects if they are not present. Instead, whichever property is provided by the user is formatted and sent to the RPC provider. Transaction objects returned from RPC responses are still formatted to contain both input and data properties (#​6294)
web3-eth-accounts
  • Dependencies updated
web3-eth-contract
  • Dependencies updated
web3-eth-ens
  • Dependencies updated
web3-eth-iban
  • Dependencies updated
web3-eth-personal
  • Dependencies updated
web3-net
  • Dependencies updated
web3-providers-http
  • Dependencies updated
web3-providers-ipc
  • Dependencies updated
web3-types
  • input and data are now optional properties on PopulatedUnsignedBaseTransaction (previously input was a required property, and data was not available) (#​6294)
web3-utils
  • Dependencies updated
web3-validator
  • Replace is-my-json-valid with zod dependency. Related code was changed (#​6264)
  • Types ValidationError and JsonSchema were changed (#​6264)
Removed
web3-eth
  • Missing blockHeaderSchema properties causing some properties to not appear in response of newHeads subscription (#​6243)
  • Type RawValidationError was removed (#​6264)
web3-validator
  • Type RawValidationError was removed (#​6264)

v4.0.7

Compare Source

v4.0.6

Compare Source

v4.0.5

Compare Source

v4.0.4

Compare Source

v4.0.3

Compare Source

Fixed
web3
web3-rpc-methods
web3-types
  • type Filter includes blockHash (#​6206)
web3-utils
  • BigInts pass validation within the method numberToHex (#​6206)
Changed
web3-core
  • Dependencies updated
web3-errors
  • Dependencies updated
web3-eth
  • Dependencies updated
web3-eth-abi
  • Dependencies updated
web3-eth-accounts
  • Dependencies updated
web3-eth-contract
  • Dependencies updated
web3-eth-ens
  • Dependencies updated
web3-eth-iban
  • Dependencies updated
web3-eth-personal
  • Dependencies updated
web3-net
  • Dependencies updated
web3-providers-http
  • Dependencies updated
web3-providers-ipc
  • Dependencies updated
web3-providers-ws
  • Dependencies updated
web3-validator
  • Dependencies updated

v4.0.2

Compare Source

Fixed
web3
web3-core
  • Fixed Batch requests erroring out on one request (#​6164)
  • Fixed the issue: Subscribing to multiple blockchain events causes every listener to be fired for every registered event (#​6210)
  • Fixed the issue: Unsubscribe at a Web3Subscription class will still have the id of the subscription at the Web3SubscriptionManager (#​6210)
  • Fixed the issue: A call to the provider is made for every subscription object (#​6210)
web3-eth-abi
  • Support for "decoding" indexed string event arguments (returns the keccak256 hash of the string value instead of the actual string value) (#​6167)
web3-eth-accounts
  • Fixed "The r and s returned by signTransaction to does not always consist of 64 characters #​6207" (#​6216)
web3-eth-contract
  • Event filtering using non-indexed and indexed string event arguments (#​6167)
web3-eth-ens
web3-providers-ws
web3-types
Added
web3
  • Exported Web3Context, Web3PluginBase, Web3EthPluginBase from 'web3-core', and Web3Validator from 'web3-validator' (#​6165)
web3-core
  • Web3Subscription constructor accept a Subscription Manager (as an alternative to accepting Request Manager that is now marked marked as deprecated) (#​6210)
web3-types
  • Added the SimpleProvider interface which has only request(args) method that is compatible with EIP-1193 (#​6210)
  • Added the Eip1193EventName type that contains the possible events names according to EIP-1193 (#​6210)
Changed
web3-core
  • Web3Subscription constructor overloading that accept a Request Manager is marked as deprecated (#​6210)
web3-errors
  • Dependencies updated
web3-eth
  • Dependencies updated
web3-eth-iban
  • Dependencies updated
web3-eth-personal
  • Dependencies updated
web3-net
  • Dependencies updated
web3-providers-http
  • Dependencies updated
web3-providers-ipc
  • Dependencies updated
web3-rpc-methods
  • Dependencies updated
web3-types
  • The EIP1193Provider class has now all the events (for on and removeListener) according to EIP-1193 (#​6210)
web3-utils
  • Dependencies updated
web3-validator
  • Dependencies updated

v4.0.1

Fixed
  • Dependency tree cannot be resolved by Yarn due to old deprecated packages picked by yarn - fixed (#​5382)

v4.0.0

Note: Yarn is resolving to some old deprecated package versions for 4.0.0-alpha.0 instead of latest alpha versions. A patch bump is posted so yarn users
should use 4.0.1-alpha.0 for testing.

Added
web3-errors
  • web3-errors new package is created, it has Web3 Error codes and classes
web3-types
  • web3-types new package is created, it provides the common data structures and interfaces for web3 modules
web3-validator
  • web3-validator new package is created, it has JSON-Schema compatible validator functionality for Web3
Removed
web3-bzz
  • This Package is deprecated
web3-shh
  • This Package is deprecated
web3-core-helpers
  • This Package is removed, errors are moved to web3-errors package and formatters are moved in web3-core package
web3-core-method
  • This Package is removed, and web3-core-method functionality is moved to web3-eth package
web3-core-promieevent
  • This Package is removed, and core promi events functionality is moved to web3-core package
web3-core-requestmanager
  • This Package is removed, batch requests and request manager functionality is moved to web3-core package
web3-core-subscription
  • This Package is removed, and core subscription functionality is moved to web3-core package
Changed
web3
  • Passing callbacks to functions is no longer supported, except for event listeners.
  • Method extend is deprecated
web3-core
  • The function outputBigNumberFormatter in web3-core-helper renamed to outputBigIntFormatter under web3-core
  • Removed this.defaultBlock context from inputDefaultBlockNumberFormatter in web3-core-helper and converted to additional parameter
  • Removed this.defaultBlock context from inputTransactionFormatter in web3-core-helper and converted to additional parameter
web3-utils
  • The following functions soliditySha3 soliditySha3Raw encodePacked now includes type validation and requires type specification, instead of guessing the value type
  • The functions soliditySha3, soliditySha3Raw and encodePacked did not support BN; But, now supports BigInt
  • The functions flattenTypes and jsonInterfaceMethodToString moved to the web3-eth-abi package
  • The function isAddress now includes an optional parameter checkChecksum type boolean
  • isBoolean now accept 1, and 0 as valid values to test. Ref: web3-validator
web3-eth-accounts
  • create function does not take in the optional parameter entropy
  • Wallet.create function doesn't accept entropy param
web3-validator
  • isBoolean now accept 1, and 0 as valid values to test.
web3-eth-contract
  • Event logs do not support types for indexed properties, but named properties are supported.
  • Types for overloaded ABI functions are not yet supported.
  • signTransaction will not fill any default values, and it will only sign and return result. For filling default values, use web3-eth package
  • recover function's last param is boolean hashed, it is used to indicate if data provided is already hashed or not. By default, this function will assume data is not hashed.
  • The Wallet no longer supports address/number indexing. Have to use wallet.get instead.
  • Wallet.create function doesn't accept entropy param
  • contract.method.send() will resolve to transaction receipt instead of transactionHash. User can use receipt.transactionHash instead.
web3-net
  • Package will not support web3.bzz.net and web3.shh.net
web3-eth-iban
  • IBAN constructor now has validation checks for indirect/direct iban.
  • isDirect, isValid, isIndirect are now also included as static methods.
web3-eth-ens
web3-eth-abi
  • internalType was renamed to baseType in all abi types
web3-eth
  • givenProvider default value is undefined
  • defaultHardfork default value is 'london'
  • defaultAccount default value is undefined
  • defaultNetworkId default value is undefined
  • When sending a transaction, if Ethereum Node does not respond within transactionSendTimeout, throw an Error.
web3-eth-subscribe
  • clearSubscriptions Instead of returning true , clearSubscriptions now returns array of subscription's ids
web3-eth-personal
  • givenProvider default value is undefined
  • currentProvider default value is undefined

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner March 26, 2024 07:36
Copy link

changeset-bot bot commented Mar 26, 2024

⚠️ No Changeset found

Latest commit: 539c263

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets
Name Type
@celo/celocli Patch
@celo/dev-utils Patch
@celo/base Patch
@celo/connect Patch
@celo/contractkit Patch
@celo/cryptographic-utils Patch
@celo/explorer Patch
@celo/governance Patch
@celo/keystores Patch
@celo/network-utils Patch
@celo/phone-utils Patch
@celo/transactions-uri Patch
@celo/utils Patch
@celo/wallet-base Patch
@celo/wallet-hsm-aws Patch
@celo/wallet-hsm-azure Patch
@celo/wallet-hsm-gcp Patch
@celo/wallet-hsm Patch
@celo/wallet-ledger Patch
@celo/wallet-local Patch
@celo/wallet-remote Patch
@celo/wallet-rpc Patch

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

socket-security bot commented Mar 26, 2024

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] None 0 405 kB jdevcs
npm/[email protected] None 0 296 kB jdevcs
npm/[email protected] None +1 594 kB jdevcs
npm/[email protected] None 0 953 kB luu-alex
npm/[email protected] None 0 628 kB colinmcd94

View full report↗︎

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-web3-utils-vulnerability branch from 40e72f9 to 539c263 Compare March 26, 2024 08:49
@aaronmgdr
Copy link
Member

This will be done as part of a bigger initiative

@aaronmgdr aaronmgdr closed this Mar 26, 2024
Copy link
Contributor Author

renovate bot commented Mar 26, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/npm-web3-utils-vulnerability branch March 26, 2024 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant