This repository was archived by the owner on Jan 24, 2022. It is now read-only.
This repository was archived by the owner on Jan 24, 2022. It is now read-only.
npm audit reports High vulnerability in @openzeppelin/[email protected] for dependency elliptic #1578
Description
npm audit reports High vulnerability in @openzeppelin/[email protected] for dependency elliptic
NPM Advisory:
https://npmjs.com/advisories/1547
I believe the vulnerability does not affect Ethereum, since adding null-byte padding to the front of anything signed as RLP-data or as an EIP-191 payload, mangles the meaning of its representation.
Reported in the Community Forum: https://forum.openzeppelin.com/t/vulnerabilities-reported-when-installing-openzeppelin-upgrades-via-npm/3614
$ npm i @openzeppelin/upgrades
...
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] No description
npm WARN [email protected] No repository field.
+ @openzeppelin/[email protected]
added 415 packages from 321 contributors and audited 415 packages in 32.604s
6 packages are looking for funding
run `npm fund` for details
found 564 vulnerabilities (1 low, 563 high)
run `npm audit fix` to fix them, or `npm audit` for details
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Signature Malleability │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ elliptic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=6.5.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @openzeppelin/upgrades > ethers > elliptic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1547 │
└───────────────┴──────────────────────────────────────────────────────────────┘