[Snyk] Fix for 23 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • static/node/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	Yes	Proof of Concept
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	Information Exposure SNYK-JS-SIMPLEGET-2361683	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	379/1000 Why? Has a fix available, CVSS 3.3	Insecure Credential Storage SNYK-JS-WEB3-174533	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @truffle/config

The new version differs by 250 commits.

• dddefba Publish
• f7b63fb Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4798 from trufflesuite/update-lodash-imports
• d0ca778 reduce lodash imports to those necessary
• 526248f Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4795 from trufflesuite/update-deps
• e890842 Update yarn.lock
• 0c06248 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4791 from trufflesuite/panic-at-the-contract
• 0bf2131 Update lodash and module dependencies to fix critical CVE
• 62b4650 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4796 from trufflesuite/remove-module-package
• 802d354 Remove unneeded module package
• 2ac45ef Merge pull request System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#4794 from trufflesuite/chore/disable-ethpm-test
• 38f9337 truffle: disable EthPM zeppelin integration test
• 50007d3 Add test of panic codes in Truffle Contract
• 7590f72 Update Truffle Contract tests to Solidity 0.8.12
• 3efa551 Add support for panic decoding in Truffle Contract
• 08ce82d Merge pull request System Error when running Ganache 2.5.4 on darwin trufflesuite/ganache-ui#4787 from trufflesuite/dependabot/npm_and_yarn/url-parse-1.5.10
• 02bf787 Bump url-parse from 1.5.7 to 1.5.10
• 19aa614 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4781 from trufflesuite/init-0812
• a42a8e4 Update Solidity version in Truffle Init to 0.8.12
• 611e006 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4772 from trufflesuite/network-issue-4327
• dc4b327 Change variable name
• 449b5db Update packages/core/lib/commands/test/run.js
• 445ee7a Add comments in the code
• a11dfb2 Publish
• d66a795 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4745 from trufflesuite/open-the-gates

See the full diff

Package name: @truffle/decoder

The new version differs by 250 commits.

• fb27278 Publish
• b31b941 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4363 from trufflesuite/archaeology
• c1cb87d Add test of compiling on Solidity <0.4.20
• 9e51fe6 Merge pull request System Error when running Ganache 2.5.4 on win32 trufflesuite/ganache-ui#4346 from trufflesuite/extract-web3-eth
• 9500eea Update type for Eip1193Provider request method
• 5467f5b Remove unused import
• b29a361 Rename type
• 58ff2d6 Add block type and add typings
• cdbe05b Simplify check for eip1193-compliancy
• ebe5c41 Add type for 1193-compliant provider
• bd5ff12 Simplify variable name
• ff9d48a Add Log type and adjust a typing
• ccddc9d Rename Web3Adapter to ProviderAdapter
• d2b9dfc Refine some methods and tweak return values to keep parity with web3's returns
• 0fef3d8 Remove web3-eth and implement our own rpc calls
• 0a6e24e Write our own implementation for eth_getCode in decoder
• a422fe4 Adjust implementation for web3-eth to copy the style in the docs
• 537ad5a Remove type, refine a type, and get ts to compile
• ecf743a Add getStorageAt method and use it in decoders
• b34657e Update decoders to use web3Adapter instead of web3 directly
• 6a0aac8 Add one more method and loosen a type or two to continue hacking
• 7afff55 Add a few more methods to Web3Adapter class
• efac32b Refine types a bit and update call to getPastLogs
• c66e6dd WIP for implementing the Web3Adapter for the decoder

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cryptographic Issues
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
• SEI CERT Oracle Coding Standard for Java - Prevent Code Injection - Carnegie Mellon University Software Engineering Institute guidance on preventing code injection vulnerabilities in Java.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "Open Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Unvalidated Redirects and Forwards Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing redirection and forwarding flaws in your applications.
• Preventing Open Redirection Attacks (C#) - A detailed Microsoft article on how to prevent open redirection vulnerabilities in ASP.NET MVC.

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Timing attack (Detected by phrase)

Matched on "Timing Attack"

What is this? (2min video)

This vulnerability manifests when the difference in response times from a given process can expose sensitive information or change the flow of a given process. For example, in a semi-controlled environment (where response times should be even under regular circumstances) this could be used to identify whether or not certain data is present in a given data storage.

Try a challenge in Secure Code Warrior