Please update your dependencies!

[rhlsthrm]

This package comes up with security vulnerabilities when you run npm audit. Can you please update the deps?

[sfoxdev]

Same here, auditing version 3.3.1 getting tons of vulns for lodash and underscore.

npm audit

...

  High            Command Injection

  Package         lodash

  Dependency of   @ethereum-waffle/chai

  Path            @ethereum-waffle/chai > @ethereum-waffle/provider >
                  ganache-core > web3-provider-engine > eth-json-rpc-infura >
                  json-rpc-engine > babel-preset-env >
                  babel-plugin-transform-es2015-classes >
                  babel-helper-function-name > babel-types > lodash

  More info       https://npmjs.com/advisories/1673




  High            Command Injection

  Package         lodash

  Dependency of   @ethereum-waffle/chai

  Path            @ethereum-waffle/chai > @ethereum-waffle/provider >
                  ganache-core > web3-provider-engine > eth-block-tracker >
                  json-rpc-engine > babel-preset-env >
                  babel-plugin-transform-es2015-function-name >
                  babel-helper-function-name > babel-types > lodash

  More info       https://npmjs.com/advisories/1673

...


 High            Arbitrary Code Execution

  Package         underscore

  Patched in      >=1.12.1

  Dependency of   @ethereum-waffle/chai

  Path            @ethereum-waffle/chai > @ethereum-waffle/provider >
                  ganache-core > web3 > web3-eth > web3-net > web3-core >
                  web3-core-requestmanager > web3-providers-http >
                  web3-core-helpers > web3-utils > underscore

  More info       https://npmjs.com/advisories/1674


  High            Arbitrary Code Execution

  Package         underscore

  Patched in      >=1.12.1

  Dependency of   @ethereum-waffle/chai

  Path            @ethereum-waffle/chai > @ethereum-waffle/provider >
                  ganache-core > web3 > web3-net > web3-core >
                  web3-core-requestmanager > web3-providers-http >
                  web3-core-helpers > web3-utils > underscore

  More info       https://npmjs.com/advisories/1674

...

found 1537 vulnerabilities (5 low, 481 moderate, 1051 high) in 1529 scanned packages
  run `npm audit fix` to fix 964 of them.
  573 vulnerabilities require manual review. See the full report for details.

[plasmatech8]

Seeing 2000 npm vulnerabilities is a bit off-putting. It would be nice to see an update.

[D4nte]

No commit since April, I wonder if support is being dropped.

[Ungolim]

@marekkirejczyk @krzysztof-jelski when are Waffle deps going to be updated? maybe unrelated but matchers have started acting weird:

[marekkirejczyk]

Hi @lepidotteri,

We will update dependencies soon.

This is probably unrelated problem. Perhaps you wanted to do:

expect(1).to.eq(1)
expect(Zero).to.eq(BigNumber.from(1))

[Ungolim]

Hi @lepidotteri,

We will update dependencies soon.

This is probably unrelated problem. Perhaps you wanted to do:

expect(1).to.eq(1)
expect(Zero).to.eq(BigNumber.from(1))

oh lol, I always assumed there was a shorthand notation there

thank you for the deps update!

[tuler]

Please please update dependencies.

1154 vulnerabilities found - Packages audited: 1494
Severity: 10 Low | 11 Moderate | 1133 High

[vanruch]

Please please update dependencies.

1154 vulnerabilities found - Packages audited: 1494
Severity: 10 Low | 11 Moderate | 1133 High

@tuler What version are you on? I don't see any high severity vulnerabilities on 3.4.0

[Jasonkoolman]

found 2120 vulnerabilities (6 low, 4 moderate, 2110 high) in 1463 scanned packages

Got this on a fresh install. Almost all are coming from ethereum-waffle:

[...]

  High            Arbitrary Code Execution

  Package         underscore

  Patched in      >=1.12.1

  Dependency of   ethereum-waffle [dev]

  Path            ethereum-waffle > @ethereum-waffle/provider > ganache-core >
                  web3 > web3-eth > web3-eth-ens > underscore

  More info       https://npmjs.com/advisories/1674

[jedashford]

Same here in Dec 2021. All coming from waffle

found 88 vulnerabilities (10 low, 35 moderate, 43 high) in 1701 scanned packages

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution in underscore                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.12.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ethereum-waffle [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ethereum-waffle > @ethereum-waffle/chai >                    │
│               │ @ethereum-waffle/provider > ganache-core > web3 > web3-eth > │
│               │ web3-eth-ens > web3-eth-contract > web3-core >               │
│               │ web3-core-method > web3-core-subscriptions >                 │
│               │ web3-core-helpers > web3-eth-iban > web3-utils > underscore  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[haithamelmengad]

Same issue here

[jaybuidl]

The package@ensdomains/ens is long obsolete and deprecated, should be replaced by @ensdomains/ens-contracts. Currently it's pulling vulnerable dependencies with it such as yargs-parser.

https://www.npmjs.com/package/@ensdomains/ens

[rhlsthrm]

This package is horribly maintained. It's sad that it's a required dependency of frameworks such as hardhat.

[tt-marek]

We resumed the work on Waffle recently, expect significant updates in 1-2 weeks.
Some context here:
https://medium.com/truefieng/introducing-truefi-engineering-8bd0c4b20e7f

[anthonysgro]

I gotta say there's a huge improvement from the literal thousands of vulnerabilities before that the original posters reported. Now, as of April 2022 for version 3.4.4, I see 47 vulnerabilities (11 moderate, 36 high), some of which are arbitrary code execution vulns which is frankly not inspiring confidence.

A ton of these are caused by what the above poster mentioned: https://www.npmjs.com/package/@ensdomains/ens
And also by ganache-core. Both are long deprecated. Y'all need to migrate away from these deprecated packages.

It is crazy to me how this issue has persisted for damn near a year.

[tt-marek]

Checkout 4.0 alfa.
For 4.0 we focus solely in getting dependencies right, we did neglected dependency updates and it is not so trivial now.

https://www.npmjs.com/package/ethereum-waffle/v/4.0.0-alpha.8

[excalq]

Thank you a ton, this makes me very happy to see.

I have a smallish project created using Hardhat's "advanced sample project" init, and this is the NPM dependency list it generated (using Waffle 3.4.0): https://gist.github.com/excalq/aa47fc423ca7540567537b718c5ff470 Waffle's dependencies are lines 435-2527!

[rzadp]

Things are better now, and #774 brings Waffle 4 to this nice view:

pnpm audit --prod
No known vulnerabilities found