[Snyk] Fix for 1 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/0x.js/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @0x/asset-swapper

The new version differs by 250 commits.

• 92e681f Publish
• 3f65dd6 Updated CHANGELOGS & MD docs
• 4425c31 chore: update packages ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #553)
• 9058839 WooFi Gas Estimates ([Snyk] Security upgrade nyc from 11.9.0 to 12.0.0 #551)
• 46a7a2e Revert "chore: Remove unused addresses in addresses.json [TKR-519] ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #548)"
• b35dccd Offboard Cream ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #546)
• 08e0c2e chore: Add checks for `addresses.json` [TKR-519] ([Snyk] Fix for 1 vulnerabilities #549)
• 8aa313a chore: Remove unused addresses in addresses.json [TKR-519] ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #548)
• 8e9699c Publish
• 939b708 Updated CHANGELOGS & MD docs
• 1617e3f Fix Polygon and Ganache FillQuoteTransformer addresses ([Snyk] Security upgrade @0x/mesh-rpc-client from 7.0.4-beta-0xv3 to 8.1.0 #547)
• e0d7057 Publish
• 01a6d93 Updated CHANGELOGS & MD docs
• 9b9f0b9 Move woofi tokens to constant.ts and run prettier ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #544)
• 0d0fef8 PR #
• 17adfbe changelogs
• 8059462 empty commit to run workflow
• 0dba5a5 lowercase addresses ([Snyk] Fix for 1 vulnerabilities #542)
• 4dae8de feat: add Foundry support to contracts/zero-ex ([Snyk] Security upgrade @0x/dev-utils from 3.3.6 to 5.0.0 #534)
• 0046bb2 Update WooFi sampler logicand addresses.json w/ new FQT's
• fe935f7 Use @ 0x/fast-abi instead of deprecated fast-abi ([Snyk] Security upgrade @0x/subproviders from 6.6.5 to 7.0.0 #540)
• 1b527ff Clean up Mirror and UST related stuff ([Snyk] Fix for 1 vulnerabilities #539)
• 9f5324d Publish
• 3647392 Updated CHANGELOGS & MD docs

See the full diff

Package name: @0x/subproviders

The new version differs by 53 commits.

• c33f74a Publish
• d0fe875 Updated CHANGELOGS & MD docs
• 06d1d34 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #93 from 0xProject/david/subproviders-8
• 8d21ec1 chore: update subproviders version to 8.0.0
• 1e26144 Merge pull request [Snyk] Security upgrade @0x/base-contract from 6.5.0 to 7.0.0 #91 from 0xProject/david/subproviders-clean
• bf9aaea chore: clean unused code from @ 0x/subproviders
• 8c79268 Publish
• d6e3f73 Updated CHANGELOGS & MD docs
• 8df4471 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #86 from 0xProject/feat/parse-imports-single-quotes
• 6f68b71 add ability to parse single quote imports
• 2ca3096 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #85 from 0xProject/dependabot/npm_and_yarn/json5-1.0.2
• 2d90e21 Bump json5 from 1.0.1 to 1.0.2
• 913ee4b Merge pull request [Snyk] Fix for 2 vulnerabilities #84 from 0xProject/dependabot/npm_and_yarn/decode-uri-component-0.2.2
• 03c2f93 Bump decode-uri-component from 0.2.0 to 0.2.2
• 2b6d538 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #76 from 0xProject/dependabot/npm_and_yarn/change-case-4.1.2
• 1650f30 Changed functions names
• 540286e Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #79 from 0xProject/dependabot/npm_and_yarn/depcheck-1.4.3
• 7696d3b Bump change-case from 3.1.0 to 4.1.2
• 1ee8ccf Bump depcheck from 0.6.11 to 1.4.3
• 5eb26b0 Merge pull request [Snyk] Fix for 2 vulnerabilities #77 from 0xProject/dependabot/npm_and_yarn/sinon-15.0.0
• b444777 Merge pull request [Snyk] Security upgrade @0x/utils from 5.6.4 to 7.0.0 #73 from 0xProject/dependabot/github_actions/actions/setup-python-4
• 4cd16d3 Merge pull request [Snyk] Fix for 2 vulnerabilities #75 from 0xProject/dependabot/npm_and_yarn/loader-utils-1.4.2
• f91bf18 Bump actions/setup-python from 2 to 4
• cb2f8d5 Merge pull request [Snyk] Security upgrade @0x/base-contract from 6.5.0 to 7.0.0 #74 from 0xProject/dependabot/github_actions/actions/setup-node-3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @0x/[email protected]
• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore @0x/[email protected]
• @SocketSecurity ignore [email protected]

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
@0x/[email protected] (added)	install	packages/0x.js/package.json via @0x/[email protected]
[email protected] (added)	postinstall	packages/0x.js/package.json via @0x/[email protected]
@0x/[email protected] (added)	install	packages/0x.js/package.json via @0x/[email protected]
[email protected] (added)	install	package.json via @0x/[email protected], contracts/integrations/package.json via @0x/[email protected]

🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package	Location	Source
@0x/[email protected] (added)	binding.gyp	packages/0x.js/package.json via @0x/[email protected]

Pull request alert summary

Issue	Status
Install scripts	⚠️ 4 issues
Native code	⚠️ 1 issue
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

---

📊 Modified Dependency Overview:

➕ Added Package	Capability Access	+/- Transitive Count	Publisher
@0x/[email protected]	network	+109	tobernguyen
[email protected]	filesystem	+0	typescript-bot

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.