Screenshot or description
There are 58 vulnerabilities in this package dependecies (8 low, 35 moderate, 14 high, 1 critical)
Tried to fix them but most of them have breaking changes.
$ npm audit fix
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-side-effect@1.2.0
npm WARN Found: react@17.0.2
npm WARN node_modules/react
npm WARN react@"^17.0.1" from the root project
npm WARN 28 more (@web3-react/core, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
npm WARN
npm WARN Conflicting peer dependency: react@16.14.0
npm WARN node_modules/react
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
up to date, audited 2787 packages in 1m
313 packages are looking for funding
run npm fund for details
npm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install axios@1.6.7, which is a breaking change
node_modules/@json-rpc-tools/provider/node_modules/axios
node_modules/axios
@json-rpc-tools/provider <=2.0.0-beta.1
Depends on vulnerable versions of axios
node_modules/@json-rpc-tools/provider
eip1193-provider >=1.0.0
Depends on vulnerable versions of @json-rpc-tools/provider
node_modules/eip1193-provider
@walletconnect/ethereum-provider <=2.4.3
Depends on vulnerable versions of eip1193-provider
node_modules/@walletconnect/ethereum-provider
@web3-react/walletconnect-connector >=6.2.6
Depends on vulnerable versions of @walletconnect/ethereum-provider
node_modules/@web3-react/walletconnect-connector
elliptic <=6.5.3
Severity: high
Elliptic Uses a Broken or Risky Cryptographic Algorithm - GHSA-r9p9-mrjm-926w
Signature Malleabillity in elliptic - GHSA-vh7m-p724-62c2
No fix available
node_modules/ghost-bitcore-lib/node_modules/elliptic
ghost-bitcore-lib
Depends on vulnerable versions of elliptic
Depends on vulnerable versions of lodash
node_modules/ghost-bitcore-lib
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install ava@6.1.1, which is a breaking change
node_modules/package-json/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
ava 0.1.0 - 4.0.0-rc.1
Depends on vulnerable versions of update-notifier
node_modules/ava
jpeg-js <=0.4.3
Severity: high
Infinite loop in jpeg-js - GHSA-xvf7-4v9q-58w6
Uncontrolled resource consumption in jpeg-js - GHSA-w7q9-p3jq-fmhm
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js
node_modules/resize-img/node_modules/jpeg-js
jimp <=0.3.5
Depends on vulnerable versions of jpeg-js
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of request
Depends on vulnerable versions of url-regex
node_modules/resize-img/node_modules/jimp
resize-img <=1.1.2
Depends on vulnerable versions of jimp
Depends on vulnerable versions of jpeg-js
node_modules/resize-img
to-ico >=1.1.0
Depends on vulnerable versions of resize-img
node_modules/to-ico
favicons 4.8.3 - 7.1.1
Depends on vulnerable versions of sharp
Depends on vulnerable versions of to-ico
Depends on vulnerable versions of xml2js
node_modules/favicons
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install babel-plugin-module-resolver@5.0.0, which is a breaking change
node_modules/find-babel-config/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-plugin-module-resolver
libp2p <=0.38.0-fc2224a
Severity: high
libp2p DoS vulnerability from lack of resource management - GHSA-f44q-634c-jvwv
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of node-forge
Depends on vulnerable versions of peer-id
fix available via npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change
node_modules/libp2p
lodash <=4.17.20
Severity: high
Regular Expression Denial of Service (ReDoS) in lodash - GHSA-29mw-wpgm-hmr9
Command Injection in lodash - GHSA-35jh-r3h4-6jhm
fix available via npm audit fix
node_modules/ghost-bitcore-lib/node_modules/lodash
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/resize-img/node_modules/mkdirp
node-fetch <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install puppeteer@22.3.0, which is a breaking change
node_modules/puppeteer/node_modules/node-fetch
puppeteer 10.0.0 - 13.1.1
Depends on vulnerable versions of node-fetch
node_modules/puppeteer
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge util.setPath API - GHSA-wxgw-qj99-44c2
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in node-forge - GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge - GHSA-92xj-mqp7-vmcj
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
fix available via npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change
node_modules/libp2p-secio/node_modules/node-forge
node_modules/libp2p-secio/node_modules/peer-id/node_modules/node-forge
node_modules/node-forge
libp2p-crypto <=0.6.1 || 0.12.0 - 0.21.1
Depends on vulnerable versions of node-forge
node_modules/libp2p-crypto
node_modules/libp2p-interfaces/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id/node_modules/libp2p-crypto
node_modules/peer-id/node_modules/libp2p-crypto
libp2p-interfaces <=1.3.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of peer-id
node_modules/libp2p-interfaces
node_modules/libp2p-secio/node_modules/libp2p-interfaces
libp2p-gossipsub <=0.11.5
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-gossipsub
libp2p-kad-dht 0.6.3 - 0.27.0
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-kad-dht
libp2p-secio <=0.5.0 || >=0.9.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-secio
peer-id 0.7.0 || 0.10.5 - 0.15.4
Depends on vulnerable versions of libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id
node_modules/peer-id
libp2p-bootstrap <=0.13.0
Depends on vulnerable versions of peer-id
node_modules/libp2p-bootstrap
libp2p-webrtc-star 0.2.0 - 0.4.5 || 0.13.4 - 0.24.1
Depends on vulnerable versions of peer-id
node_modules/libp2p-webrtc-star
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install web3@4.5.0, which is a breaking change
node_modules/request
request-promise-cache *
Depends on vulnerable versions of request
node_modules/request-promise-cache
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
servify *
Depends on vulnerable versions of request
node_modules/servify
eth-lib 0.1.24 - 0.1.29
Depends on vulnerable versions of servify
node_modules/eth-lib
swarm-js >=0.1.36
Depends on vulnerable versions of eth-lib
node_modules/swarm-js
web3-bzz *
Depends on vulnerable versions of swarm-js
node_modules/web3-bzz
web3 1.0.0-beta.1 - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
@1inch/limit-order-protocol >=1.4.0
Depends on vulnerable versions of web3
node_modules/@1inch/limit-order-protocol
web3-provider-engine *
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of ethereumjs-vm
Depends on vulnerable versions of request
node_modules/web3-provider-engine
@walletconnect/web3-provider *
Depends on vulnerable versions of web3-provider-engine
node_modules/@walletconnect/web3-provider
semver >=7.0.0 <7.5.2 || <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/levelup/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
levelup 0.9.0 - 1.3.9
Depends on vulnerable versions of semver
node_modules/levelup
merkle-patricia-tree 0.1.22 - 2.3.2
Depends on vulnerable versions of levelup
node_modules/merkle-patricia-tree
ethereumjs-block >=0.0.3
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-block
node_modules/ethereumjs-vm/node_modules/ethereumjs-block
ethereumjs-vm >=0.1.1
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-vm
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
nodemon 2.0.19 - 2.0.22
Depends on vulnerable versions of simple-update-notifier
node_modules/nodemon
sharp <=0.32.5
Severity: high
sharp vulnerable to Command Injection in post-installation over build environment - GHSA-gp95-ppv5-3jc5
sharp vulnerability in libwebp dependency CVE-2023-4863 - GHSA-54xq-cgqr-rpm3
fix available via npm audit fix
node_modules/sharp
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via npm audit fix --force
Will install web3@4.5.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
url-regex *
Severity: high
Regular expression denial of service in url-regex - GHSA-v4rh-8p82-6h5w
fix available via npm audit fix
node_modules/url-regex
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - GHSA-776f-qx25-q3cc
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/xml2js
58 vulnerabilities (8 low, 35 moderate, 14 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Steps to reproduce
nvm install 18
npm i
Environment
- Domain: not set
- Mainnet or Testnet: testnet
- Browser: any
- OS: Ubuntu 23.10
Your version
Does this affect atomic swap flow?
Are real funds at risk?
Screenshot or description
There are 58 vulnerabilities in this package dependecies (8 low, 35 moderate, 14 high, 1 critical)
Tried to fix them but most of them have breaking changes.
$ npm audit fix
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-side-effect@1.2.0
npm WARN Found: react@17.0.2
npm WARN node_modules/react
npm WARN react@"^17.0.1" from the root project
npm WARN 28 more (@web3-react/core, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
npm WARN
npm WARN Conflicting peer dependency: react@16.14.0
npm WARN node_modules/react
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
up to date, audited 2787 packages in 1m
313 packages are looking for funding
run
npm fundfor detailsnpm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via
npm audit fix --forceWill install axios@1.6.7, which is a breaking change
node_modules/@json-rpc-tools/provider/node_modules/axios
node_modules/axios
@json-rpc-tools/provider <=2.0.0-beta.1
Depends on vulnerable versions of axios
node_modules/@json-rpc-tools/provider
eip1193-provider >=1.0.0
Depends on vulnerable versions of @json-rpc-tools/provider
node_modules/eip1193-provider
@walletconnect/ethereum-provider <=2.4.3
Depends on vulnerable versions of eip1193-provider
node_modules/@walletconnect/ethereum-provider
@web3-react/walletconnect-connector >=6.2.6
Depends on vulnerable versions of @walletconnect/ethereum-provider
node_modules/@web3-react/walletconnect-connector
elliptic <=6.5.3
Severity: high
Elliptic Uses a Broken or Risky Cryptographic Algorithm - GHSA-r9p9-mrjm-926w
Signature Malleabillity in elliptic - GHSA-vh7m-p724-62c2
No fix available
node_modules/ghost-bitcore-lib/node_modules/elliptic
ghost-bitcore-lib
Depends on vulnerable versions of elliptic
Depends on vulnerable versions of lodash
node_modules/ghost-bitcore-lib
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via
npm audit fix --forceWill install ava@6.1.1, which is a breaking change
node_modules/package-json/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
ava 0.1.0 - 4.0.0-rc.1
Depends on vulnerable versions of update-notifier
node_modules/ava
jpeg-js <=0.4.3
Severity: high
Infinite loop in jpeg-js - GHSA-xvf7-4v9q-58w6
Uncontrolled resource consumption in jpeg-js - GHSA-w7q9-p3jq-fmhm
fix available via
npm audit fix --forceWill install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js
node_modules/resize-img/node_modules/jpeg-js
jimp <=0.3.5
Depends on vulnerable versions of jpeg-js
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of request
Depends on vulnerable versions of url-regex
node_modules/resize-img/node_modules/jimp
resize-img <=1.1.2
Depends on vulnerable versions of jimp
Depends on vulnerable versions of jpeg-js
node_modules/resize-img
to-ico >=1.1.0
Depends on vulnerable versions of resize-img
node_modules/to-ico
favicons 4.8.3 - 7.1.1
Depends on vulnerable versions of sharp
Depends on vulnerable versions of to-ico
Depends on vulnerable versions of xml2js
node_modules/favicons
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via
npm audit fix --forceWill install babel-plugin-module-resolver@5.0.0, which is a breaking change
node_modules/find-babel-config/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-plugin-module-resolver
libp2p <=0.38.0-fc2224a
Severity: high
libp2p DoS vulnerability from lack of resource management - GHSA-f44q-634c-jvwv
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of node-forge
Depends on vulnerable versions of peer-id
fix available via
npm audit fix --forceWill install libp2p@1.2.3, which is a breaking change
node_modules/libp2p
lodash <=4.17.20
Severity: high
Regular Expression Denial of Service (ReDoS) in lodash - GHSA-29mw-wpgm-hmr9
Command Injection in lodash - GHSA-35jh-r3h4-6jhm
fix available via
npm audit fixnode_modules/ghost-bitcore-lib/node_modules/lodash
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
fix available via
npm audit fix --forceWill install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/resize-img/node_modules/mkdirp
node-fetch <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - GHSA-r683-j2x4-v87g
fix available via
npm audit fix --forceWill install puppeteer@22.3.0, which is a breaking change
node_modules/puppeteer/node_modules/node-fetch
puppeteer 10.0.0 - 13.1.1
Depends on vulnerable versions of node-fetch
node_modules/puppeteer
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge util.setPath API - GHSA-wxgw-qj99-44c2
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in
node-forge- GHSA-2r2c-g63r-vccrOpen Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge - GHSA-92xj-mqp7-vmcj
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
fix available via
npm audit fix --forceWill install libp2p@1.2.3, which is a breaking change
node_modules/libp2p-secio/node_modules/node-forge
node_modules/libp2p-secio/node_modules/peer-id/node_modules/node-forge
node_modules/node-forge
libp2p-crypto <=0.6.1 || 0.12.0 - 0.21.1
Depends on vulnerable versions of node-forge
node_modules/libp2p-crypto
node_modules/libp2p-interfaces/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id/node_modules/libp2p-crypto
node_modules/peer-id/node_modules/libp2p-crypto
libp2p-interfaces <=1.3.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of peer-id
node_modules/libp2p-interfaces
node_modules/libp2p-secio/node_modules/libp2p-interfaces
libp2p-gossipsub <=0.11.5
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-gossipsub
libp2p-kad-dht 0.6.3 - 0.27.0
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-kad-dht
libp2p-secio <=0.5.0 || >=0.9.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-secio
peer-id 0.7.0 || 0.10.5 - 0.15.4
Depends on vulnerable versions of libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id
node_modules/peer-id
libp2p-bootstrap <=0.13.0
Depends on vulnerable versions of peer-id
node_modules/libp2p-bootstrap
libp2p-webrtc-star 0.2.0 - 0.4.5 || 0.13.4 - 0.24.1
Depends on vulnerable versions of peer-id
node_modules/libp2p-webrtc-star
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via
npm audit fix --forceWill install web3@4.5.0, which is a breaking change
node_modules/request
request-promise-cache *
Depends on vulnerable versions of request
node_modules/request-promise-cache
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
servify *
Depends on vulnerable versions of request
node_modules/servify
eth-lib 0.1.24 - 0.1.29
Depends on vulnerable versions of servify
node_modules/eth-lib
swarm-js >=0.1.36
Depends on vulnerable versions of eth-lib
node_modules/swarm-js
web3-bzz *
Depends on vulnerable versions of swarm-js
node_modules/web3-bzz
web3 1.0.0-beta.1 - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
@1inch/limit-order-protocol >=1.4.0
Depends on vulnerable versions of web3
node_modules/@1inch/limit-order-protocol
web3-provider-engine *
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of ethereumjs-vm
Depends on vulnerable versions of request
node_modules/web3-provider-engine
@walletconnect/web3-provider *
Depends on vulnerable versions of web3-provider-engine
node_modules/@walletconnect/web3-provider
semver >=7.0.0 <7.5.2 || <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/levelup/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
levelup 0.9.0 - 1.3.9
Depends on vulnerable versions of semver
node_modules/levelup
merkle-patricia-tree 0.1.22 - 2.3.2
Depends on vulnerable versions of levelup
node_modules/merkle-patricia-tree
ethereumjs-block >=0.0.3
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-block
node_modules/ethereumjs-vm/node_modules/ethereumjs-block
ethereumjs-vm >=0.1.1
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-vm
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
nodemon 2.0.19 - 2.0.22
Depends on vulnerable versions of simple-update-notifier
node_modules/nodemon
sharp <=0.32.5
Severity: high
sharp vulnerable to Command Injection in post-installation over build environment - GHSA-gp95-ppv5-3jc5
sharp vulnerability in libwebp dependency CVE-2023-4863 - GHSA-54xq-cgqr-rpm3
fix available via
npm audit fixnode_modules/sharp
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via
npm audit fix --forceWill install web3@4.5.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
url-regex *
Severity: high
Regular expression denial of service in url-regex - GHSA-v4rh-8p82-6h5w
fix available via
npm audit fixnode_modules/url-regex
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - GHSA-776f-qx25-q3cc
fix available via
npm audit fix --forceWill install favicons@7.1.5, which is a breaking change
node_modules/xml2js
58 vulnerabilities (8 low, 35 moderate, 14 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Steps to reproduce
nvm install 18
npm i
Environment
Your version
Does this affect atomic swap flow?
Are real funds at risk?