Skip to content

[Snyk] Fix for 3 vulnerabilities #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ryanoolala wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 3 vulnerabilities #85

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,10 @@
"colors": "^1.1.2",
"devtools-detect": "^2.2.0",
"dotenv": "^2.0.0",
"ethereumjs-tx": "^1.3.3",
"ethereumjs-util": "^5.1.2",
"ethereumjs-tx": "^2.1.2",
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ethereumjs-tx is being upgraded here but it does not appear to be imported or required anywhere in the codebase (search_dir shows only ethereumjs-util is used). If this package is truly unused, it would be cleaner to remove it altogether rather than keep an unnecessary dependency, which slightly increases install time and the project’s attack surface.

Suggested change
"ethereumjs-tx": "^2.1.2",

Copilot uses AI. Check for mistakes.
"ethereumjs-util": "^5.2.1",
"highlight.js": "^9.12.0",
"lodash": "^4.17.4",
"lodash": "^4.17.23",
Comment on lines +29 to +32
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These dependency upgrades change the resolved versions in package.json but package-lock.json (and yarn.lock, which is also present in the repo) are not updated, so installs will continue to use the old, potentially vulnerable versions until the lockfiles are regenerated. Before merging, please run the appropriate install/lockfile update (e.g. npm install or npm update and, if Yarn is used, yarn install) and commit the updated lockfile(s) so that builds are reproducible and actually pick up the patched versions.

Copilot uses AI. Check for mistakes.
"marked": "^0.3.17",
"moment": "^2.21.0",
"nan": "^2.10.0",
Expand All @@ -53,10 +53,10 @@
"sha3": "^1.2.2",
"truffle": "^5.0.0",
"truffle-deployer": "^2.0.0",
"web3": "1.0.0-beta.37",
"web3-core-helpers": "1.0.0-beta.37",
"web3-core-method": "1.0.0-beta.37",
"web3-utils": "1.0.0-beta.37",
"web3": "4.0.1",
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading web3 from 1.0.0-beta.37 to 4.0.1 is a major breaking change and the current codebase still relies on v1-style APIs (e.g. web3.toWei/web3.fromWei, callback-based web3.eth.getBalance/getBlockNumber, web3.eth.personal.getAccounts, web3.currentProvider.sendAsync, and web3.currentProvider.rpcEngine._middleware in src/utils/ethutil.js, scripts/deploy_contracts.js, and test/utils/TestUtils.js). With these lines as-is, the front-end and some tests are very likely to break at runtime when built against web3 v4; either the web3 upgrade should be deferred or the codebase should be updated and tested to match the v4 API surface before merging.

Suggested change
"web3": "4.0.1",
"web3": "1.6.0",

Copilot uses AI. Check for mistakes.
"web3-core-helpers": "1.6.0",
"web3-core-method": "1.6.0",
"web3-utils": "1.6.0",
Comment on lines +57 to +59
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The direct dependencies web3-core-helpers, web3-core-method, and web3-utils are bumped to 1.6.0 while web3 itself is set to 4.0.1, and none of these core packages are imported directly in the codebase. This mix of major versions within the same library family is confusing and unnecessary; unless you explicitly depend on these internals, consider removing them as direct dependencies and relying on web3 alone to avoid version skew and simplify maintenance.

Suggested change
"web3-core-helpers": "1.6.0",
"web3-core-method": "1.6.0",
"web3-utils": "1.6.0",

Copilot uses AI. Check for mistakes.
"zeppelin-solidity": "1.6.0"
},
"devDependencies": {
Expand Down