Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in Dependencies #106

Open
0xharshrastogi opened this issue Dec 9, 2024 · 0 comments
Open

Security Vulnerabilities in Dependencies #106

0xharshrastogi opened this issue Dec 9, 2024 · 0 comments

Comments

@0xharshrastogi
Copy link
Contributor

Security Vulnerabilities in Dependencies

Overview

Running npm audit revealed several security vulnerabilities in the project's dependencies that need to be addressed to ensure the security and stability of the project.

Vulnerabilities

  1. cross-spawn (7.0.0 - 7.0.4)

    • Severity: High
    • Issue: Regular Expression Denial of Service (ReDoS) in cross-spawn
    • Advisory: GHSA-3xgq-45jj-v275
    • Recommended Fix: Upgrade to version 7.0.5 or later.

  2. elliptic (<6.6.0)

    • Severity: High
    • Issue: Valid ECDSA signatures erroneously rejected in Elliptic
    • Advisory: GHSA-fc9h-whq2-v747
    • Recommended Fix: Upgrade to version 6.6.0 or later.

  3. secp256k1 (4.0.0 - 4.0.3 || 5.0.0)

    • Severity: High
    • Issue: secp256k1-node allows private key extraction over ECDH
    • Advisory: GHSA-584q-6j8j-r5pm
    • Recommended Fix: Upgrade to version 4.0.4 or later, or 5.0.1 or later.

Logs

harshrastogi@Harsh-Rastogi js-moi-sdk % npm audit
(node:38695) ExperimentalWarning: CommonJS module /Users/harshrastogi/.nvm/versions/node/v23.2.0/lib/node_modules/npm/node_modules/debug/src/node.js is loading ES Module /Users/harshrastogi/.nvm/versions/node/v23.2.0/lib/node_modules/npm/node_modules/supports-color/index.js using require().
Support for loading ES Module in require() is an experimental feature and might change at any time
(Use `node --trace-warnings ...` to show where the warning was created)
# npm audit report

cross-spawn  7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn

elliptic  <6.6.0
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
fix available via `npm audit fix`
node_modules/elliptic

secp256k1  4.0.0 - 4.0.3 || 5.0.0
Severity: high
secp256k1-node allows private key extraction over ECDH - https://github.com/advisories/GHSA-584q-6j8j-r5pm
secp256k1-node allows private key extraction over ECDH - https://github.com/advisories/GHSA-584q-6j8j-r5pm
fix available via `npm audit fix`
node_modules/hdkey/node_modules/secp256k1
node_modules/secp256k1

3 vulnerabilities (1 low, 2 high)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xharshrastogi