New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Package Vulnerability #698
Comments
Thank you for your report. We are currently working to remove web3 v1 dependency that will get rid of those unmaintained libs. In any case the protocol-kit is not affected as it doesn't make use of the Swarm network. |
Thanks |
Hi there, any update on moving off of web3 v1? There is a vulnerability in web3-utils < v4.2.1. However, here's the dependency tree:
meaning typechecks would fail with this combination of versions. Would appreciate an update, thanks! |
@andrewkmin Thank you for sharing this. It will be our main focus until we get rid of it. |
Hello, are there any updates? |
@DmytroShalaiev we are currently working on a big refactor in which we will get rid of web3 v1 |
Thanks I will follow updates |
@DmytroShalaiev we are preparing the release yet, we will publish the new version soon. There will be breaking changes affecting some of the kits, we are finishing the migration guides before publishing. |
Thanks, will be waiting |
@DmytroShalaiev latest published version should solve all the mentioned vulnerabilities https://github.com/safe-global/safe-core-sdk/releases/tag/r40 |
Thanks I will upgrade and check |
tough-cookie (package.json) 2.5.0 .
CVE-2023-26136 https://avd.aquasec.com/nvd/cve-2023-26136
tough-cookie: prototype pollution in cookie memstore,
Fixed in 4.1.3
The text was updated successfully, but these errors were encountered: