Address security vulnerabilities

[ScottyPoi]

Addressing 12 vulnerabilities re issue: #2903

1. Devp2p

• Removed dependency: @types/chalk@2.2.0:
• Update import of multiaddr/convert to remove Require

2. Client:

• Update peer-id dependency
• Update multiaddr dependency to @multiformats/multiaddr

3. Trie

• Remove 0x dependency

ALL REMAINING VULNERABILITIES
caused by:

multiaddr v10.0.01 is deprecated
to be replaced by @multiformats/multiaddr

currently unable to update due to ESM conflicts.

[codecov]

Codecov Report

Merging #2912 (35228cf) into master (84c57cb) will increase coverage by 2.99%.
The diff coverage is 100.00%.

Additional details and impacted files

Flag	Coverage Δ
block	?
blockchain	?
client	88.34% <100.00%> (+0.04%)	⬆️
common	?
ethash	?
evm	?
statemanager	?
trie	?
tx	95.96% <ø> (ø)
util	?
vm	?

Flags with carried forward coverage won't be shown. Click here to find out more.

[ScottyPoi]

Halfway there!

[ScottyPoi]

[holgerd77]

Looks already pretty good, thanks for tackling! 🤩

(1-2 CI runs failing, just to mention)

[holgerd77]

Maybe @acolytec3 can confirm, but we removed libp2p completely from the core build, so I would think these two dependencies shouldn't show up here at all? 🤔

[acolytec3]

Depends on how we're using peer-id. That library got radically changed a while back so you might need that factory for even our limited usage.

[ScottyPoi]

Mostly found in client/libp2pBrowserBuild

[holgerd77]

Ah, another require gone, great! 😃

[holgerd77]

I am personally ok with dropping the 0x dependency, this was added for convenience I guess when we were very much into "flame-graphing" 😂, but I guess it's totally ok respectively likely better if such a tools are just installed in a global scope by everyone who uses them.

[ScottyPoi]

it wasn't in use anywhere that i could find 🤷

and it was responsible for like 9 vulnerabilities 😆

[acolytec3]

So some potential bad news on the front of trying to upgrade the multiaddr dep. That module is now ESM only, so the reason we're seeing this Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: No "exports" main defined in... error in the devp2p examples scripts and in the client is that those being run as CommonJS modules and like so many other challenges with ESM, you can't statically import ESM modules in CJS code. So...since the IPFS/libp2p Javascript world has elected to go ESM only (and not provide CJS builds), we either need to internalize all the multiaddr usage in our code or just pin this old dependency. Multiaddrs are futureproof so in theory our usage should never change.

[acolytec3]

So just to follow up, I'd be a fan of backing out the multiaddr and merging this with just the other stuff removed for now and we tackle multiaddrs in a future update.

[ScottyPoi]

So just to follow up, I'd be a fan of backing out the multiaddr and merging this with just the other stuff removed for now and we tackle multiaddrs in a future update.

Ok, I'll rewind that change and make an issue about it for future us.

[ScottyPoi]

strangely -- reverting back to the deprecated mutliaddr v10.0.1 did not bring back the vulnerability warning
🤔

oh, actually it did, 🙄

[acolytec3]

LGTM! I think we might be able to get rid of the peerId stuff entirely but that can be a further PR as needed.