[Snyk] Upgrade: , , , , , , , , , , , , , , , , bip39, bufferutil, emittery, eth-sig-util, leveldown, tmp-promise, utf-8-validate, ws #677
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯 The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
@ethereumjs/util
from 8.0.5 to 8.1.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/common
from 3.1.1 to 3.2.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/trie
from 5.0.4 to 5.1.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/tx
from 4.1.1 to 4.2.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ethereumjs/vm
from 6.4.1 to 6.5.0 | 2 versions ahead of your current version | a year ago
on 2023-06-20
@ganache/console.log
from 0.4.0 to 0.4.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-address
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-block
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-options
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-transaction
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/ethereum-utils
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/options
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/promise-queue
from 0.4.0 to 0.4.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/rlp
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/secp256k1
from 0.5.0 to 0.5.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-21
@ganache/utils
from 0.8.0 to 0.9.2 | 3 versions ahead of your current version | 9 months ago
on 2023-12-21
bip39
from 3.0.4 to 3.1.0 | 1 version ahead of your current version | 2 years ago
on 2023-02-25
bufferutil
from 4.0.5 to 4.0.8 | 3 versions ahead of your current version | a year ago
on 2023-10-15
emittery
from 0.10.0 to 0.13.1 | 7 versions ahead of your current version | 2 years ago
on 2022-08-25
eth-sig-util
from 2.5.3 to 2.5.4 | 1 version ahead of your current version | 4 years ago
on 2021-02-04
leveldown
from 6.1.0 to 6.1.1 | 1 version ahead of your current version | 2 years ago
on 2022-03-25
tmp-promise
from 3.0.2 to 3.0.3 | 1 version ahead of your current version | 3 years ago
on 2021-10-26
utf-8-validate
from 5.0.7 to 5.0.10 | 3 versions ahead of your current version | 2 years ago
on 2022-10-18
ws
from 8.2.3 to 8.18.0 | 24 versions ahead of your current version | 2 months ago
on 2024-07-03
Release notes
Package name: @ethereumjs/util
EIP-7685 Requests: EIP-6110 (Deposits) / EIP-7002 (Withdrawals) / EIP-7251 (Consolidations)
This library now supports
EIP-6110
deposit requests, see PR #3390,EIP-7002
withdrawal requests, see PR #3385 andEIP-7251
consolidation requests, see PR #3477 as well as the underlying generic execution layer request logic introduced withEIP-7685
(PR #3372).These new request types will be activated with the
Prague
hardfork, see @ ethereumjs/block README for detailed documentation.EIP-2935 Serve Historical Block Hashes from State (Prague)
Starting with this release the VM supports EIP-2935 which stores the latest 256 block hashes in the storage of a system contract, see PR #3475 as the major integrational PR (while work on this has already been done in previous PRs).
This EIP will be activated along the Prague hardfork. Note that this EIP has no effect on the resolution of the
BLOCKHASH
opcode, which will be a separate activation taking place by the integration of EIP-7709 in the following Osaka hardfork.Verkle Dependency Decoupling
We have relatively light-heartedly added a new
@ ethereumjs/verkle
main dependency to the VM/EVM stack in thev7.2.1
release, which added an additional burden to the bundle size by several hundred KB and additionally draws in unnecessary WASM code. Coupling with Verkle has been refactored in PR #3462 and the direct dependency has been removed again.An update to this release is therefore strongly recommended even if other fixes or features are not that relevant for you right now.
Verkle Updates
verkle-cryptography-wasm
migration, PRs #3355 and #3356Other Features
evmOpts
to the VM opts to allow for options chaining to the underlying EVM, PR #3481Other Changes
VM._emit()
, PR #3396mcl-wasm
Dependency (Esbuild Issue), PR #3461Bugfixes
Package name: @ethereumjs/common
Package name: @ethereumjs/trie
Package name: @ethereumjs/tx
Package name: @ethereumjs/vm
Package name: @ganache/console.log
Package name: @ganache/ethereum-address
Package name: @ganache/ethereum-block
Package name: @ganache/ethereum-options
Package name: @ganache/ethereum-transaction
Package name: @ganache/ethereum-utils
Package name: @ganache/options
Package name: @ganache/promise-queue
Package name: @ganache/rlp
Package name: @ganache/secp256k1
Package name: @ganache/utils
Package name: bip39
3.1.0
3.0.4
Package name: bufferutil
No content.
No content.
No content.
No content.
Package name: emittery
v0.13.0...v0.13.1
v0.12.1...v0.13.0
v0.12.0...v0.12.1
off
method to the promise returned from.once()
(#100) e0b4ba7Emittery.mixin
type support arguments in constructor 32ddcbev0.11.0...v0.12.0
v0.10.2...v0.11.0
v0.10.1...v0.10.2
OmnipresentEventData
type (#93) 3e5bd10 2725900v0.10.0...v0.10.1
.on()
(#84) c4c11e4v0.9.2...v0.10.0
Package name: eth-sig-util
Changed
ethereumjs-abi
(#121)tweetnacl
to latest version (#124)2.5.3
Package name: leveldown
Fixed
getMany()
memory leak (#804) (51979d1
) (Vincent Weevers)ba729d2
) (Vincent Weevers).Added
db.getMany(keys)
(#787) (50dc50b
) (Vincent Weevers).Package name: tmp-promise
update dependencies, add publish script, use strict mode
Package name: utf-8-validate
No content.
No content.
No content.
No content.
Package name: ws
Features
Blob
(#2229).Bug fixes
A request with a number of headers exceeding the
server.maxHeadersCount
threshold could be used to crash a ws server.
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in #2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=size
and/or themaxHeaderSize
options sothat no more headers than the
server.maxHeadersCount
limit can be sent.server.maxHeadersCount
to0
so that no limit is applied.Features
WebSocket
constructor now accepts thecreateConnection
option (#2219).Other notable changes
allowSynchronousEvents
option has been changed totrue
(#2221).This is a breaking change in a patch release. The assumption is that the option
is not widely used.
Features
autoPong
option (01ba54e).Notable changes
allowMultipleEventsPerMicrotask
option has been renamed toallowSynchronousEvents
(4ed7fe5).This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.
Features
allowMultipleEventsPerMicrotask
option (93e3552).Bug fixes
swallowed when running tests (7f4e1a7).
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: