Skip to content

[Snyk] Upgrade: , axios, gauge, web3 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AKJUS wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade: , axios, gauge, web3 #3

AKJUS wants to merge 1 commit into from

Conversation

@AKJUS
Copy link
Owner

@AKJUS AKJUS commented Sep 15, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@polkadot/api
from 10.11.2 to 10.13.1 | 8 versions ahead of your current version | 5 months ago
on 2024-04-16
axios
from 1.6.5 to 1.7.5 | 12 versions ahead of your current version | 23 days ago
on 2024-08-23
gauge
from 5.0.1 to 5.0.2 | 1 version ahead of your current version | 4 months ago
on 2024-05-04
web3
from 4.3.0 to 4.12.1 | 170 versions ahead of your current version | 23 days ago
on 2024-08-23

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-7361793		 761 Proof of Concept
high severity Prototype Pollution
SNYK-JS-WEB3UTILS-6229337		 761 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574		 761 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610		 761 Proof of Concept
Release notes
Package name: @polkadot/api from @polkadot/api GitHub release notes
Package name: axios from axios GitHub release notes
Package name: gauge from gauge GitHub release notes
Package name: web3
  • 4.12.1 - 2024-08-23

    Hot fix

    [4.12.1]

    Fixed

    web3-eth-accounts

    • Revert TransactionFactory.registerTransactionType if there is a version mistatch between web3-eth and web3-eth-accounts and fix nextjs problem. (#7216)

    What's Changed

  • 4.12.1-dev.e746566.0 - 2024-08-22
  • 4.12.1-dev.0b75589.0 - 2024-08-23
  • 4.12.0 - 2024-08-22

    [4.12.0]

    Fixed

    web3-core

    • setConfig() fix for setMaxListenerWarningThreshold fix (#5079)

    web3-eth-accounts

    • Fix TransactionFactory.registerTransactionType not working, if there is a version mistatch between web3-eth and web3-eth-accounts by saving extraTxTypes at globals. (#7197)

    Added

    web3-eth-accounts

    • Added public function signMessageWithPrivateKey (#7174)

    web3-eth-contract

    • Added populateTransaction to the contract.deploy(...) properties. (#7197)

    web3-providers-http

    • Added statusCode of response in ResponseError, statusCode is optional property in ResponseError.

    web3-rpc-providers

    • Updated rate limit error of QuickNode provider for HTTP transport
    • Added optional HttpProviderOptions | SocketOptions in Web3ExternalProvider and QuickNodeProvider for provider configs

    web3-errors

    • Added optional statusCode property of response in ResponseError.

    Changed

    web3-eth-contract

    • The returnred properties of contract.deploy(...) are structured with a newly created class named DeployerMethodClass. (#7197)
    • Add a missed accepted type for the abi parameter, at dataInputEncodeMethodHelper and getSendTxParams. (#7197)

    What's Changed

    New Contributors

  • 4.11.2-dev.f87ffbe.0 - 2024-08-01
  • 4.11.2-dev.dee14ec.0 - 2024-07-30
  • 4.11.2-dev.d9d0391.0 - 2024-08-20
  • 4.11.2-dev.cbbbd84.0 - 2024-07-24
  • 4.11.2-dev.8b435c1.0 - 2024-08-06
  • 4.11.2-dev.61e9e06.0 - 2024-08-02
  • 4.11.2-dev.60fc197.0 - 2024-08-21
  • 4.11.2-dev.5080e80.0 - 2024-08-02
  • 4.11.2-dev.4f8e8cc.0 - 2024-08-21
  • 4.11.2-dev.2ef694c.0 - 2024-08-21
  • 4.11.2-dev.0db2b18.0 - 2024-08-08
  • 4.11.2-dev.2706805.0 - 2024-08-02
  • 4.11.1 - 2024-07-24

    [4.11.1]

    Fixed

    web3-errors

    • Fixed the undefined data in Eip838ExecutionError constructor (#6905)

    web3-eth

    • Adds transaction property to be an empty list rather than undefined when no transactions are included in the block (#7151)
    • Change method getTransactionReceipt to not be casted as TransactionReceipt to give proper return type (#7159)

    web3

    • Remove redundant constructor of contractBuilder (#7150)

    What's Changed

    New Contributors

    Full Changelog: v4.11.0...v4.11.1

  • 4.11.1-dev.e5efe49.0 - 2024-07-22
  • 4.11.1-dev.cbcfc18.0 - 2024-07-22
  • 4.11.1-dev.9afaa61.0 - 2024-07-16
  • 4.11.1-dev.6b80cf0.0 - 2024-07-12
  • 4.11.1-dev.5f6deeb.0 - 2024-07-22
  • 4.11.1-dev.5ad7e5b.0 - 2024-07-17
  • 4.11.1-dev.463d070.0 - 2024-07-11
  • 4.11.0 - 2024-07-11

    [4.11.0]

    Fixed

    web3-eth-abi

    • fix encodedata in EIP-712 (#7095)

    web3-utils

    • _sendPendingRequests will catch unhandled errors from _sendToSocket (#6968)

    web3-eth

    • Fixed geth issue when running a new instance, transactions will index when there are no blocks created (#7098)

    Changed

    web3-eth-accounts

    • baseTransaction method updated (#7095)

    web3-providers-ws

    • Update dependancies (#7109)

    web3-rpc-providers

    • Change request return type Promise<ResultType> to Promise<JsonRpcResponseWithResult<ResultType>> (#7102)

    Added

    web3-eth-contract

    • populateTransaction was added to contract methods (#7124)
    • Contract has setTransactionMiddleware and getTransactionMiddleware for automatically passing to sentTransaction for deploy and send functions (#7138)

    web3-rpc-providers

    • When error is returned with code 429, throw rate limit error (#7102)

    web3

    • web3.eth.Contract will get transaction middleware and use it, if web3.eth has transaction middleware. (#7138)
  • 4.10.1-dev.89711ab.0 - 2024-07-10
  • 4.10.1-dev.1436228.0 - 2024-07-09
  • 4.10.0 - 2024-06-17

    [4.10.0]

    Added

    web3

    • Now when existing packages are added in web3, will be avalible for plugins via context. (#7088)

    web3-core

    • Now when existing packages are added in web3, will be avalible for plugins via context. (#7088)

    web3-eth

    • sendTransaction in rpc_method_wrappers accepts optional param of TransactionMiddleware (#7088)
    • WebEth has setTransactionMiddleware and getTransactionMiddleware for automatically passing to sentTransaction (#7088)

    web3-eth-ens

    • getText now supports first param Address
    • getName has optional second param checkInterfaceSupport

    web3-types

    • Added result as optional never and error as optional never in type JsonRpcNotification` (#7091)
    • Added JsonRpcNotfication as a union type in JsonRpcResponse (#7091)

    web3-rpc-providers

    • Alpha release

    Fixed

    web3-eth-ens

    • getName reverse resolution

    What's Changed

@snyk-bot
fix: upgrade multiple dependencies with Snyk
5ce1eb2 
Snyk has created this PR to upgrade:
  - @polkadot/api from 10.11.2 to 10.13.1.
    See this package in npm: https://www.npmjs.com/package/@polkadot/api
  - axios from 1.6.5 to 1.7.5.
    See this package in npm: https://www.npmjs.com/package/axios
  - gauge from 5.0.1 to 5.0.2.
    See this package in npm: https://www.npmjs.com/package/gauge
  - web3 from 4.3.0 to 4.12.1.
    See this package in npm: https://www.npmjs.com/package/web3

See this project in Snyk:
https://app.snyk.io/org/akjus/project/d095e41e-16d4-4453-bf38-cfc2ca9e5524?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AKJUS @snyk-bot