Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patches and various version bumps #1728

Merged
merged 3 commits into from
Oct 28, 2024
Merged

Patches and various version bumps #1728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
921246d
chore: patch CVE-2024-47875, CVE-2024-48930, CVE-2024-37890, latest yarn
jaybuidl Oct 28, 2024
85718cc
chore: various deps updates
jaybuidl Oct 28, 2024
67d8412
chore(sdk): release @kleros/[email protected]
jaybuidl Oct 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
893 changes: 0 additions & 893 deletions .yarn/releases/yarn-4.0.2.cjs
View file
Open in desktop

This file was deleted.

934 changes: 934 additions & 0 deletions .yarn/releases/yarn-4.5.1.cjs
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion .yarnrc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ enableGlobalCache: false

nodeLinker: node-modules

yarnPath: .yarn/releases/yarn-4.0.2.cjs
yarnPath: .yarn/releases/yarn-4.5.1.cjs
12 changes: 6 additions & 6 deletions contracts/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"@kleros/kleros-v2-eslint-config": "workspace:^",
"@kleros/kleros-v2-prettier-config": "workspace:^",
"@kleros/kleros-v2-tsconfig": "workspace:^",
"@logtail/pino": "^0.4.19",
"@logtail/pino": "^0.4.22",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Dependency updates need attention for security vulnerabilities

The dependency tree analysis shows that the vulnerable packages are present in the project:

While the routine updates to @logtail/pino and other packages are good, they don't address the security vulnerabilities mentioned in the PR objectives. The project still includes potentially vulnerable versions of these packages through dependencies.

🔗 Analysis chain

LGTM! Version updates look appropriate.

The dependency updates appear to be routine maintenance updates to newer patch/minor versions, which is a good practice for keeping dependencies up-to-date with bug fixes and improvements.

Let's verify if any of these updates indirectly address the reported vulnerabilities:

Also applies to: 76-77, 83-83, 95-95, 106-106

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the vulnerable packages are present in the dependency tree
# and their versions after the updates

echo "Checking for vulnerable packages in dependency tree..."
yarn why dompurify secp256k1 ws

echo "Checking resolved versions of updated packages..."
yarn why @logtail/pino @types/node @wagmi/cli graphql pino viem

Length of output: 471

Script:

#!/bin/bash
# Let's try using npm instead of yarn, and check the dependency tree
npm list dompurify secp256k1 ws 2>/dev/null || true

# Also check package-lock.json if it exists
if [ -f package-lock.json ]; then
    echo "Found package-lock.json, checking for vulnerable packages..."
    grep -A 2 '"dompurify"\|"secp256k1"\|"ws"' package-lock.json || true
fi

# Check if there's a yarn.lock file
if [ -f yarn.lock ]; then
    echo "Found yarn.lock, checking for vulnerable packages..."
    grep -A 2 'dompurify@\|secp256k1@\|ws@' yarn.lock || true
fi

# Let's also check for these packages in the entire codebase
echo "Checking for direct references in the codebase..."
rg --type-add 'lock:*.lock' --type-add 'json:*.json' -t lock -t json 'dompurify@|secp256k1@|ws@' || true

Length of output: 7311

"@nomicfoundation/hardhat-chai-matchers": "^1.0.6",
"@nomiclabs/hardhat-ethers": "^2.2.3",
"@nomiclabs/hardhat-solhint": "^3.0.1",
Expand All @@ -73,14 +73,14 @@
"@typechain/hardhat": "^7.0.0",
"@types/chai": "^4.3.11",
"@types/mocha": "^10.0.6",
"@types/node": "^20.11.3",
"@wagmi/cli": "^2.0.3",
"@types/node": "^20.17.1",
"@wagmi/cli": "^2.1.16",
"abitype": "^0.10.3",
"chai": "^4.4.1",
"dotenv": "^16.3.1",
"ethereumjs-util": "^7.1.5",
"ethers": "^5.7.2",
"graphql": "^16.8.1",
"graphql": "^16.9.0",
"graphql-request": "^6.1.0",
"hardhat": "2.15.0",
"hardhat-contract-sizer": "^2.10.0",
Expand All @@ -92,7 +92,7 @@
"hardhat-tracer": "^2.7.0",
"hardhat-watcher": "^2.5.0",
"node-fetch": "^3.3.2",
"pino": "^8.17.2",
"pino": "^8.21.0",
"pino-pretty": "^10.3.1",
"shelljs": "^0.8.5",
"solhint-plugin-prettier": "^0.1.0",
Expand All @@ -103,6 +103,6 @@
},
"dependencies": {
"@kleros/vea-contracts": "^0.4.0",
"viem": "^2.21.26"
"viem": "^2.21.35"
}
}
6 changes: 3 additions & 3 deletions kleros-sdk/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@kleros/kleros-sdk",
"version": "2.1.7",
"version": "2.1.8",
"description": "SDK for Kleros version 2",
"repository": "[email protected]:kleros/kleros-v2.git",
"author": "Kleros",
Expand Down Expand Up @@ -44,10 +44,10 @@
"vitest": "^1.1.3"
},
"dependencies": {
"@reality.eth/reality-eth-lib": "^3.2.30",
"@reality.eth/reality-eth-lib": "^3.2.43",
"@urql/core": "^5.0.8",
"mustache": "^4.2.0",
"viem": "^2.21.26",
"viem": "^2.21.35",
"zod": "^3.22.4"
}
}
9 changes: 6 additions & 3 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,10 @@
"prettier-config",
"tsconfig"
],
"packageManager": "yarn@4.0.2+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
"packageManager": "yarn@4.5.1",
"volta": {
"node": "20.11.0",
"yarn": "4.3.1"
"yarn": "4.5.1"
},
"devDependencies": {
"@commitlint/cli": "^17.8.1",
Expand Down Expand Up @@ -62,7 +62,10 @@
"eth-sig-util@npm:^1.4.2": "3.0.0",
"fast-xml-parser": "^4.2.5",
"@babel/traverse:^7.22.5": "^7.23.6",
"yargs-unparser@npm:1.6.0": "1.6.4"
"yargs-unparser@npm:1.6.0": "1.6.4",
"dompurify@npm:^2.4.0": "2.5.7",
"secp256k1@npm:^4.0.1": "4.0.4",
"ws@npm:^8.11.0": "8.18.0"
Comment on lines +66 to +68
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Additional vulnerable package versions found - needs attention

The yarn.lock analysis reveals some concerning dependencies that need to be addressed:

  • @types/dompurify is locked at version 2.4.0 (vulnerable)
  • dompurify is indirectly required as "^2.4.0" through isomorphic-dompurify dependency
  • @types/secp256k1 has version 4.0.3 (vulnerable) in one of its declarations

Recommendations:

  • Update @types/dompurify to a version >= 2.4.1
  • Add a resolution for @types/secp256k1 to version 4.0.6 or higher
  • Add an explicit resolution for the indirect dompurify dependency to ensure version 2.5.7 is used
🔗 Analysis chain

LGTM: Security vulnerabilities addressed with appropriate version updates.

The added resolutions successfully address the reported vulnerabilities:

Let's verify these are the only instances of the vulnerable packages:

Let me check the exact versions in the yarn.lock file to ensure all vulnerable versions are properly addressed.

Let me try a different approach to check the yarn.lock content:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any other instances of the vulnerable packages
# that might need updating

echo "Checking for other instances of vulnerable packages..."
rg -l "dompurify.*2\.4\." || echo "No vulnerable dompurify versions found"
rg -l "secp256k1.*4\.0\.3" || echo "No vulnerable secp256k1 versions found"
rg -l "ws.*8\.16\.0" || echo "No vulnerable ws versions found"

Length of output: 304

Script:

#!/bin/bash
# Check the specific versions in yarn.lock
echo "Checking dompurify versions in yarn.lock:"
rg "dompurify@npm.*version" -A 2 yarn.lock

echo -e "\nChecking secp256k1 versions in yarn.lock:"
rg "secp256k1@npm.*version" -A 2 yarn.lock

Length of output: 281

Script:

#!/bin/bash
# Check for any version strings in yarn.lock for these packages
echo "Checking dompurify in yarn.lock:"
rg "dompurify@npm" -A 5 yarn.lock

echo -e "\nChecking secp256k1 in yarn.lock:"
rg "secp256k1@npm" -A 5 yarn.lock

echo -e "\nChecking package.json for these dependencies:"
rg "\"(dompurify|secp256k1|ws)\":" package.json

Length of output: 2776

},
"scripts": {
"check-prerequisites": "scripts/check-prerequisites.sh",
Expand Down
2 changes: 1 addition & 1 deletion subgraph/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@
"@graphprotocol/graph-cli": "0.64.1",
"@kleros/kleros-v2-eslint-config": "workspace:^",
"@kleros/kleros-v2-prettier-config": "workspace:^",
"gluegun": "^5.1.6",
"gluegun": "^5.2.0",
"matchstick-as": "0.6.0"
},
"dependenciesComments": {
Expand Down
1 change: 1 addition & 0 deletions web-devtools/.env.devnet-neo.public
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../web/.env.devnet-neo.public
1 change: 1 addition & 0 deletions web-devtools/.env.devnet-university.public
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../web/.env.devnet-university.public
1 change: 1 addition & 0 deletions web-devtools/.env.devnet.public
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../web/.env.devnet.public
3 changes: 2 additions & 1 deletion web-devtools/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ dist
.env.development.local
.env.test.local
.env.production.local
.env.devnet-university

# generated code
src/hooks/contracts/generated.ts
Expand All @@ -43,4 +44,4 @@ yarn-error.log*

# typescript
*.tsbuildinfo
next-env.d.ts
next-env.d.ts
12 changes: 6 additions & 6 deletions web-devtools/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"packageManager": "[email protected]+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix package manager version inconsistency.

The packageManager field shows version 4.0.2 while the volta.yarn field shows 4.5.1. This inconsistency should be resolved to prevent potential dependency resolution issues.

Apply this diff to update the packageManager field:

-  "packageManager": "[email protected]+sha256.825003a0f561ad09a3b1ac4a3b3ea6207af2796d54f62a9420520915721f5186",
+  "packageManager": "[email protected]"

Also applies to: 13-13

"volta": {
"node": "20.11.0",
"yarn": "4.3.1"
"yarn": "4.5.1"
},
"scripts": {
"clean": "rimraf .next src/graphql-generated src/hooks/contracts/generated.ts",
Expand All @@ -28,13 +28,13 @@
"@graphql-codegen/cli": "^5.0.2",
"@graphql-codegen/client-preset": "^4.3.2",
"@svgr/webpack": "^8.1.0",
"@types/node": "^20",
"@types/node": "^20.17.1",
"@types/react": "18.2.0",
"@types/react-dom": "^18.2.18",
"@typescript-eslint/eslint-plugin": "^8.8.1",
"@typescript-eslint/parser": "^8.8.1",
"@typescript-eslint/utils": "^8.8.1",
"@wagmi/cli": "^2.0.3",
"@wagmi/cli": "^2.1.16",
"eslint": "^8.57.1",
"eslint-config-next": "^14.2.15",
"eslint-config-prettier": "^9.1.0",
Expand All @@ -49,7 +49,7 @@
"@kleros/kleros-sdk": "workspace:^",
"@kleros/ui-components-library": "^2.15.0",
"@web3modal/wagmi": "^5.1.11",
"graphql": "^16.8.1",
"graphql": "^16.9.0",
"graphql-request": "^7.1.0",
"next": "14.2.14",
"react": "^18.2.0",
Expand All @@ -58,7 +58,7 @@
"react-toastify": "^10.0.5",
"typewriter-effect": "^2.21.0",
"vanilla-jsoneditor": "^0.21.4",
"viem": "^2.1.0",
"wagmi": "^2.2.1"
"viem": "^2.21.35",
"wagmi": "^2.12.25"
}
}
10 changes: 5 additions & 5 deletions web/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"@typescript-eslint/eslint-plugin": "^8.8.1",
"@typescript-eslint/parser": "^8.8.1",
"@typescript-eslint/utils": "^8.8.1",
"@wagmi/cli": "^2.0.3",
"@wagmi/cli": "^2.1.16",
"eslint": "^8.57.1",
"eslint-config-prettier": "^9.1.0",
"eslint-import-resolver-typescript": "^3.6.3",
Expand Down Expand Up @@ -95,7 +95,7 @@
"chartjs-plugin-datalabels": "^2.2.0",
"core-js": "^3.35.0",
"ethers": "^5.7.2",
"graphql": "^16.8.1",
"graphql": "^16.9.0",
"graphql-request": "~6.1.0",
"jose": "^5.2.3",
"moment": "^2.30.1",
Expand All @@ -114,9 +114,9 @@
"react-scripts": "^5.0.1",
"react-toastify": "^9.1.3",
"react-use": "^17.4.3",
"siwe": "^2.3.1",
"siwe": "^2.3.2",
"styled-components": "^5.3.11",
"viem": "^2.17.3",
"wagmi": "^2.12.8"
"viem": "^2.21.35",
"wagmi": "^2.12.25"
}
}
Loading
Loading