add overrides for elliptic and ws packages to address security concer…

…ns (#454) * add overrides for elliptic and ws packages to address security concerns * replace overrides with resoultions for yarn v1
alchemyplatform · Sep 27, 2024 · b12bf11 · b12bf11
1 parent ee25bca
commit b12bf11
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,14 @@
 
 ### Minor Changes
 
+## 3.4.2
+
+### Minor Changes
+
+- Addressed security vulnerabilities by adding overrides for `elliptic` and `ws` dependencies. Specifically:
+  - Updated `elliptic` to version `6.5.7` (latest) to fix vulnerabilities related to EDDSA signature length checks and ECDSA BER-encoded signatures.
+  - Updated `ws` to version `7.5.10` to mitigate a potential DoS vulnerability. The latest major version of `ws` is `8.x`, however, `7.5.10` is the most up-to-date version compatible with `ethers v5`, which depends on `7.x` versions of `ws`.
+
 ## 3.4.1
 
 ### Minor Changes

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "alchemy-sdk",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "Extended Ethers.js SDK for Alchemy APIs",
   "author": "Alchemy",
   "license": "MIT",
@@ -99,6 +99,10 @@
     "typedoc-plugin-markdown": "^3.12.1",
     "typescript": "^4.5.5"
   },
+  "resolutions": {
+    "elliptic": "6.5.7",
+    "ws": "7.5.10"
+  },
   "sideEffects": false,
   "size-limit": [
     {

diff --git a/src/version.ts b/src/version.ts
@@ -1,3 +1,3 @@
 // This file is autogenerated by injectVersion.js. Any changes will be
 // overwritten on commit!
-export const VERSION = '3.4.1';
+export const VERSION = '3.4.2';
diff --git a/yarn.lock b/yarn.lock
@@ -2214,10 +2214,10 @@ electron-to-chromium@^1.4.84:
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.96.tgz#a97438a01d5db1460343fea4a344960b09330990"
   integrity sha512-DPNjvNGPabv6FcyjzLAN4C0psN/GgD9rSGvMTuv81SeXG/EX3mCz0wiw9N1tUEnfQXYCJi3H8M0oFPRziZh7rw==
 
-[email protected]:
-  version "6.5.4"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.4.tgz#da37cebd31e79a1367e941b592ed1fbebd58abbb"
-  integrity sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==
+[email protected], [email protected]:
+  version "6.5.7"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b"
+  integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==
   dependencies:
     bn.js "^4.11.9"
     brorand "^1.1.0"
@@ -5646,20 +5646,10 @@ write-file-atomic@^3.0.0:
     signal-exit "^3.0.2"
     typedarray-to-buffer "^3.1.5"
 
-[email protected]:
-  version "7.4.6"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c"
-  integrity sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==
-
-[email protected]:
-  version "8.5.0"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-8.5.0.tgz#bfb4be96600757fe5382de12c670dab984a1ed4f"
-  integrity sha512-BWX0SWVgLPzYwF8lTzEy1egjhS4S4OEAHfsO8o65WOVsrnSRGaSiUaa9e0ggGlkMTtBlmOpEXiie9RUcBO86qg==
-
-ws@^7.4.6:
-  version "7.5.7"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.7.tgz#9e0ac77ee50af70d58326ecff7e85eb3fa375e67"
-  integrity sha512-KMvVuFzpKBuiIXW3E4u3mySRO2/mCHSyZDJQM5NQ9Q9KHWHWh0NHgfbRMLLrceUK5qAL4ytALJbpRMjixFZh8A==
+[email protected], [email protected], [email protected], ws@^7.4.6:
+  version "7.5.10"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.10.tgz#58b5c20dc281633f6c19113f39b349bd8bd558d9"
+  integrity sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==
 
 xml-name-validator@^3.0.0:
   version "3.0.0"