From b12bf11518a1495c40b6f9e66a4cb57c8bba2ccd Mon Sep 17 00:00:00 2001 From: Sahil Aujla Date: Fri, 27 Sep 2024 15:04:46 -0400 Subject: [PATCH] add overrides for elliptic and ws packages to address security concerns (#454) * add overrides for elliptic and ws packages to address security concerns * replace overrides with resoultions for yarn v1 --- CHANGELOG.md | 8 ++++++++ package.json | 6 +++++- src/version.ts | 2 +- yarn.lock | 26 ++++++++------------------ 4 files changed, 22 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2bd0f23..e6911d60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ ### Minor Changes +## 3.4.2 + +### Minor Changes + +- Addressed security vulnerabilities by adding overrides for `elliptic` and `ws` dependencies. Specifically: + - Updated `elliptic` to version `6.5.7` (latest) to fix vulnerabilities related to EDDSA signature length checks and ECDSA BER-encoded signatures. + - Updated `ws` to version `7.5.10` to mitigate a potential DoS vulnerability. The latest major version of `ws` is `8.x`, however, `7.5.10` is the most up-to-date version compatible with `ethers v5`, which depends on `7.x` versions of `ws`. + ## 3.4.1 ### Minor Changes diff --git a/package.json b/package.json index 592241d5..5df2abe1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "alchemy-sdk", - "version": "3.4.1", + "version": "3.4.2", "description": "Extended Ethers.js SDK for Alchemy APIs", "author": "Alchemy", "license": "MIT", @@ -99,6 +99,10 @@ "typedoc-plugin-markdown": "^3.12.1", "typescript": "^4.5.5" }, + "resolutions": { + "elliptic": "6.5.7", + "ws": "7.5.10" + }, "sideEffects": false, "size-limit": [ { diff --git a/src/version.ts b/src/version.ts index 1fa8c40e..0d00223f 100644 --- a/src/version.ts +++ b/src/version.ts @@ -1,3 +1,3 @@ // This file is autogenerated by injectVersion.js. Any changes will be // overwritten on commit! -export const VERSION = '3.4.1'; +export const VERSION = '3.4.2'; diff --git a/yarn.lock b/yarn.lock index 5272252c..16b4bbb2 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2214,10 +2214,10 @@ electron-to-chromium@^1.4.84: resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.96.tgz#a97438a01d5db1460343fea4a344960b09330990" integrity sha512-DPNjvNGPabv6FcyjzLAN4C0psN/GgD9rSGvMTuv81SeXG/EX3mCz0wiw9N1tUEnfQXYCJi3H8M0oFPRziZh7rw== -elliptic@6.5.4: - version "6.5.4" - resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.4.tgz#da37cebd31e79a1367e941b592ed1fbebd58abbb" - integrity sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ== +elliptic@6.5.4, elliptic@6.5.7: + version "6.5.7" + resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b" + integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q== dependencies: bn.js "^4.11.9" brorand "^1.1.0" @@ -5646,20 +5646,10 @@ write-file-atomic@^3.0.0: signal-exit "^3.0.2" typedarray-to-buffer "^3.1.5" -ws@7.4.6: - version "7.4.6" - resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c" - integrity sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A== - -ws@8.5.0: - version "8.5.0" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.5.0.tgz#bfb4be96600757fe5382de12c670dab984a1ed4f" - integrity sha512-BWX0SWVgLPzYwF8lTzEy1egjhS4S4OEAHfsO8o65WOVsrnSRGaSiUaa9e0ggGlkMTtBlmOpEXiie9RUcBO86qg== - -ws@^7.4.6: - version "7.5.7" - resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.7.tgz#9e0ac77ee50af70d58326ecff7e85eb3fa375e67" - integrity sha512-KMvVuFzpKBuiIXW3E4u3mySRO2/mCHSyZDJQM5NQ9Q9KHWHWh0NHgfbRMLLrceUK5qAL4ytALJbpRMjixFZh8A== +ws@7.4.6, ws@7.5.10, ws@8.5.0, ws@^7.4.6: + version "7.5.10" + resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.10.tgz#58b5c20dc281633f6c19113f39b349bd8bd558d9" + integrity sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ== xml-name-validator@^3.0.0: version "3.0.0"