Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Update/replace ensdomains
See original GitHub issueIssue
Due to this underlying issue, @truffle/contract is reporting a High severity npm audit failure. A PR which might fix it was submitted several weeks ago but has not been evaluated or merged, and the last commit to make it into that repo was more than a month prior.
Steps to Reproduce
Run npm audit with @truffle/contract@4.4.2 installed in a project.
Expected Behavior
No audit failures.
Actual Results
Several audit failures, including a high-severity Regex DoS stemming from use of glob-parent <5.1.2, and another high-severity prototype pollution issue from y18n. There are also moderate-severity issues in elliptic < 6.5.3 and in mem < 4.0.0 and in yargs-parser <5.0.0 & 7.0.0 which this should fix as well.
Running npm ls glob-parent gives
`-- @truffle/contract@4.4.2
`-- @ensdomains/ensjs@2.0.1
`-- @ensdomains/ens@0.4.3
`-- ethereumjs-testrpc@6.0.3
`-- webpack@3.12.0
`-- watchpack@1.7.5
+-- chokidar@3.5.2
| `-- glob-parent@5.1.2
`-- watchpack-chokidar2@2.0.1
`-- chokidar@2.1.8
`-- glob-parent@3.1.0
Running npm ls y18n gives
+-- @truffle/contract@4.4.2
| `-- @ensdomains/ensjs@2.0.1
| `-- @ensdomains/ens@0.4.3
| +-- ethereumjs-testrpc@6.0.3
| | `-- webpack@3.12.0
| | `-- yargs@8.0.2
| | `-- y18n@3.2.2 deduped
| +-- ganache-cli@6.12.2
| | `-- yargs@13.2.4
| | `-- y18n@4.0.0
| `-- solc@0.4.26
| `-- yargs@4.8.1
| `-- y18n@3.2.2
There is also a moderate-severity issue in ansi-regex under this path, but that’s not the only place it’s found, an update would also be needed in chromafi and pulled to Truffle’s fork of it.
Response options
- Assist @ensdomains in addressing their own deprecated dependency
- Fork the patched dependency and maintain that separately, at least until @ensdomains comes back online
- Remove the dependency on @ensdomains/ensjs and replace it with something else if needed.
- Continue to ignore the issue and hope Truffle users generally don’t care about security to the extent they’d care about npm audit failures.
In creating this Issue, I propose not #4.
Environment
- Operating System: Win10
- Ethereum client: geth
- Truffle version (
truffle version): @truffle/contract 4.4.2 - node version (
node --version): 16.13.1 - npm version (
npm --version): 7.24.0
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The high severity labeled warning appears to no longer be present on the latest version of
@truffle/contract. Closing. Thanks @wbt !There was some initial work done but there is a bit more to be figured out before being able to fully replace it. It is a bit tricky to switch over the functionality that deploys registries/resolvers to test networks.