[Snyk] Fix for 2 vulnerabilities

[Jircs1]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	701/1000 Why? Recently disclosed, Has a fix available, CVSS 8.3	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	Yes	No Known Exploit
	828/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.7	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: elliptic

The new version differs by 10 commits.

• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• 0a78e03 [Fix] restore node < 4 compat
• 43ac7f2 6.5.4
• f4bc72b package: bump deps
• 441b742 ec: validate that a point before deriving keys
• e71b2d9 lib: relint using eslint
• 8421a01 build(deps): bump elliptic from 6.4.1 to 6.5.3 (Redirect to my project lists and add to my BlockchainID extension  bnb-chain/bsc-genesis-contract#231)

See the full diff

Package name: ethereum-input-data-decoder

The new version differs by 26 commits.

• a38601c Bump minor version
• 4769555 Bug fixes and use ethers AbiCoder to decode function data where possible
• c727af7 Bump version
• 587d7a0 Merge branch 'plutalov-master'
• 77249fa Remove the redundant dependency
• eb5bc44 Add real TypeScript definitions
• 1a2484b Bump version
• 863273a Merge branch 'roderik-master'
• 9469a28 fix: upgrade meow to fix CVE issues
• a19603a Bump version
• 0c012ff Merge branch 'alexcampbelling-fix/nested-tuple-array'
• 1613760 Merge branch 'fix/nested-tuple-array' of https://github.com/alexcampbelling/ethereum-input-data-decoder into alexcampbelling-fix/nested-tuple-array
• 3b89e05 Update package.json
• bfbd0c1 Merge branch 'NunoAlexandre-master'
• e4e4cf4 Make lib importable on typescript projects
• 2940c6e Typuple type to null
• 736e176 Comments
• b170a4a removed comments
• d54eea8 builds
• ff9b3e9 Cleaned up recursive base cases in which types were being indexed where they shouldn't be
• a9dd15c Semver match original style
• ed05ad0 Builds
• 4009c02 Recursive tuple strip and 2 new tests
• 47e5756 handle tuple array of arrays

See the full diff

Package name: solidity-bytes-utils

The new version differs by 41 commits.

• e93b867 Add deleted set of memory variables accidentally deleted with the last PR to master
• fa2792e Revert version constraints back to `^0.5.0` in order to enhance compatibility
• 425edac Merge branch 'master' into develop
• 7727420 Change truffle config file to always use the right compielr version
• 87e1c28 Add eth lint (R4R: add parameters to bind event to facilitate reconciliation bnb-chain/bsc-genesis-contract#30)
• 1b55da7 Revert "Publish to GitHub package manager"
• 0cfd42f Publish to GitHub package manager
• 8f91f5d Merge branch 'master' into develop
• e3d1f68 Fix for new truffle version breaking Codeship CI
• 8183d09 Merge branch 'master' into develop
• 5f91a80 Hotfix for correct EPM deployment
• cd17878 Bump version to 0.0.8
• 541c524 Update dependencies
• de03428 Merge branch 'master' into develop
• db88c30 Fix README with correct example of import from NPM
• 658e88b Implement toUintXX for 64, 96 and 128 bits (R4R: mark some methods as read only bnb-chain/bsc-genesis-contract#25)
• 3222bc1 Fix typo in package-lock.json
• 40adf99 Merge branch 'master' into develop
• 5741a27 Update dependency versions
• e177b3b Bump version in package-lock.json
• 5670587 Bump version to v0.0.7
• 9df9e9b Update package-lock.json
• d942a00 (WIP) Upgrade to Solidity v0.5.0 (R4R: fix miniToken checker issue bnb-chain/bsc-genesis-contract#21)
• 4f5a1a9 Merge branch 'develop' of github.com:GNSPS/solidity-bytes-utils into develop

See the full diff

Package name: web3

The new version differs by 250 commits.

• c8799b0 changelog bumps
• 50a2469 version bumps
• 09f4c8b Fix validation uint int sizes (#6434)
• 226b3ba 6508 fix (#6509)
• 70d1957 Add functionality to extend tx types (#6493)
• 10d1f12 socket provider fix 6416 (#6496)
• 42502b6 Avoid using `**` with `BigInt` (#6506)
• e760667 update tests (#6474)
• 6e43d1b Fix typos (#6494)
• b38f00d getRevertReason update for signed Txs (#6497)
• 9a5fd87 fix: web3.min.js cdn 404 (#6489)
• 4879326 Implement `EventEmitter` compatible with browsers (#6398)
• ae98628 Bump postcss from 8.4.24 to 8.4.31 in /docs (#6476)
• 6d99cd0 waitForTransactionReceipt fix (#6464)
• 0e78235 Bump zod from 3.21.4 to 3.22.3 (#6477)
• 80986bb fix stale (#6473)
• 9b03f9d Fixed withdrawals property type bytes to address (#6471)
• 90d78c1 add privateKeyToPublicKey function to accounts (#6466)
• bfcbea8 Bump cross-fetch to version 4 (#6463)
• 4b445ae Fixup base fee type (#6456)
• 3060994 6344 - normalize v on recover (#6462)
• c490c18 feat: replace ethers abi coder with ours (#6385)
• b8fa712 fix: timer types to be context dependent (#6460)
• 80adabe make default transaction 0x2 (#6426)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[socket-security]

Report too large to display inline

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Git dependency	npm/[email protected]	Dependency: ethereumjs-abi@git+https://github.com/ethereumjs/ethereumjs-abi.git Location: Package overview	package-lock.json	⚠︎
Protestware or potentially unwanted behavior	npm/[email protected]	Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts.	package-lock.json	⚠︎

View full report↗︎

Next steps

What are git dependencies?

Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

Publish the git dependency to npm or a private package repository and consume it from there.

What is protestware?

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Consider that consuming this package may come along with functionality unrelated to its primary purpose.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]