Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade solidity-coverage from 0.7.21 to 0.8.13 #37

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

nek0ill
Copy link
Owner

@nek0ill nek0ill commented Sep 29, 2024

snyk-top-banner

Snyk has created this PR to upgrade solidity-coverage from 0.7.21 to 0.8.13.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 24 versions ahead of your current version.

  • The recommended version was released on a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Asymmetric Resource Consumption (Amplification)
SNYK-JS-BODYPARSER-7926860
696 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
696 Proof of Concept
high severity Improper Verification of Cryptographic Signature
SNYK-JS-BROWSERIFYSIGN-6037026
696 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ES5EXT-6095076
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
696 Proof of Concept
medium severity Open Redirect
SNYK-JS-GOT-2932019
696 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-7925106
696 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
696 Proof of Concept
medium severity Open Redirect
SNYK-JS-GOT-2932019
696 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783
696 Proof of Concept
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909
696 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-COOKIEJAR-3149984
696 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
696 No Known Exploit
medium severity Cross-site Scripting
SNYK-JS-EXPRESS-7926867
696 No Known Exploit
low severity Cross-site Scripting
SNYK-JS-SEND-7926862
696 No Known Exploit
low severity Cross-site Scripting
SNYK-JS-SERVESTATIC-7926865
696 No Known Exploit
low severity Insecure Credential Storage
SNYK-JS-WEB3-174533
696 No Known Exploit
Release notes
Package name: solidity-coverage
  • 0.8.13 - 2024-08-29

    🐛 Bug Fixes

    This release fixes a bug that caused the plugin to error when used with hardhat-viem in combination with a forked network.

    What's Changed

    • Error if --solcoverjs passed but file is nonexistent by @ area in #889
    • Stop overwriting forking config in extendConfig by @ cgewecke in #893
    • Misc docs fixes

    New Contributors

    Full Changelog: v0.8.12...v0.8.13

  • 0.8.13-rc.0 - 2024-08-29
  • 0.8.12 - 2024-04-05

    What's Changed

    • Adds "work-around" support for the hardhat-viem plugin. If you're using viem, run the coverage task with:
      SOLIDITY_COVERAGE=true npx hardhat coverage
      
    • Adds support for solc v0.4.x
    • Fixes a bug where plugin crashed if the contract sources directory name contained a period.
    • Fixes a bug where instrumentation failed if there was whitespace between require statement and the terminating semi-colon

    PRs

    Full Changelog: v0.8.11...v0.8.12

  • 0.8.11 - 2024-03-07

    Summary

    0.8.11 fixes a(nother) bug that resulted in some line hits remaining undetected when compiling with viaIR=true

    What's Changed

    • Check all SWAP opcodes for inst. hashes when viaIR is true by @ cgewecke in #873

    Full Changelog: v0.8.10...v0.8.11

  • 0.8.10 - 2024-02-29

    Summary

    0.8.10 fixes a bug that resulted in some line hits remaining undetected when compiling with viaIR=true

    What's Changed

    • Check all PUSH opcodes for instr. hashes when viaIR is true by @ cgewecke in #871

    Full Changelog: v0.8.9...v0.8.10

  • 0.8.10-rc.0 - 2024-02-28
  • 0.8.9 - 2024-02-27

    What's Changed

    • Fix regression introduced in 0.8.7 where modifier branch coverage for modifiers inherited from a dependency was not measured correctly in some cases @ cgewecke in #868

    Full Changelog: v0.8.8...v0.8.9

  • 0.8.9-rc.0 - 2024-02-25
  • 0.8.8 - 2024-02-21

    What's Changed

    • Fix bug when instrumenting hardhat flattened contracts:
      • Only inject file-level instr. for first pragma in file by @ cgewecke in #865
    • Fix 0% coverage when using with hardhat-foundry & foundry.toml is present:
      • Coerce sources path to absolute path if necessary by @ cgewecke in #866

    Install

    npm install --save-dev solidity-coverage@latest
    npx hardhat clean
    

    Full Changelog: v0.8.7...v0.8.8

  • 0.8.7 - 2024-02-10

    What's Changed

    viaIR now allowed

    This release (hopefully) fixes a long-running problem solidity-coverage had with solc's viaIR compilation mode - It's now possible to use it without any special configuration. (Please report any ongoing issues with this to issue #861)

    If you've been using .solcover.js options like configureYulOptimizer and solcOptimizerDetails as a work around, you should remove them when upgrading. (Don't forget to run the hardhat clean task after updating any coverage config stuff).

    --network no longer allowed

    Sadly the ganache client has been deprecated. The coverage plugin never worked with its latest major version and the network flag only existed for its sake. Going forward, the network option throws an error notifying the user that coverage only uses the HardhatEVM network.

    --sources cli option

    You can now select a single file (or folder) at the command line to generate coverage for. This option should speed things up if you've been waiting for the plugin to instrument everything in a large project whenever you run the command.

    $ npx hardhat coverage --sources MyFile.sol
    $ npx hardhat coverage --sources MyFolder

    (Thanks so much @ clauBv23 for adding this!)

    Funding

    OpenZeppelin has very generously funded recent work at solidity-coverage via DRIPS, a public goods protocol which helps you direct money to projects in your dependency tree. Thanks so much! ❤️

    Links to relevant PRs

    • Add command option to specify the source files to run the coverage on (#806) by @ clauBv23 in #838
    • Remove ganache-cli related code from API & tests by @ cgewecke in #849
    • Add missing onPreCompile stage hook by @ cgewecke in #851
    • Enable coverage when viaIR compiler flag is true by @ cgewecke in #854

    Full Changelog: v0.8.6...v0.8.7

  • 0.8.7-viaIR.0 - 2024-02-09
  • 0.8.6 - 2024-01-29

    What's Changed

    Fixes

    • Perform ternary conditional injections before branch injections (#828) by @ cgewecke in #828
    • Fix chained ternary conditionals instrumentation by @ cgewecke in #830
    • Fix instrumentation error for virtual modifiers by @ cgewecke in #832
    • Throw error when mocha parallel is set to true by @ cgewecke in #833

    Documentation

    • Update faq.md with another viaIR optimizer config workaround by @ remedcu in #822
    • Document Istanbul check-coverage cli command by @ cgewecke in #834

    Dependencies

    Misc

    New Contributors

    Full Changelog: v0.8.5...v0.8.6

  • 0.8.6-sha1.0 - 2023-10-14
  • 0.8.5 - 2023-09-22

    What's Changed

    New Contributors

    Full Changelog: v0.8.4...v0.8.5

  • 0.8.4 - 2023-07-04

    What's Changed

    New Contributors

    Full Changelog: v0.8.2...v0.8.4

  • 0.8.3 - 2023-06-22
  • 0.8.2 - 2022-09-08
  • 0.8.1 - 2022-09-06
  • 0.8.0 - 2022-09-05
  • 0.8.0-rc.test.0 - 2022-04-26
  • 0.8.0-rc.1 - 2022-03-29
  • 0.8.0-beta.1 - 2022-03-29
  • 0.8.0-beta.0 - 2021-01-13
  • 0.7.22 - 2022-09-05
  • 0.7.21 - 2022-04-24
from solidity-coverage GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"solidity-coverage","from":"0.7.21","to":"0.8.13"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-BODYPARSER-7926860","issue_id":"SNYK-JS-BODYPARSER-7926860","priority_score":696,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.2","score":410},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Asymmetric Resource Consumption (Amplification)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-7266574","issue_id":"SNYK-JS-WS-7266574","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Denial of Service (DoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-BROWSERIFYSIGN-6037026","issue_id":"SNYK-JS-BROWSERIFYSIGN-6037026","priority_score":589,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ES5EXT-6095076","issue_id":"SNYK-JS-ES5EXT-6095076","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-1296835","issue_id":"SNYK-JS-WS-1296835","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-GOT-2932019","issue_id":"SNYK-JS-GOT-2932019","priority_score":484,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.4","score":270},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-PATHTOREGEXP-7925106","issue_id":"SNYK-JS-PATHTOREGEXP-7925106","priority_score":738,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.9","score":345},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-REQUEST-3361831","issue_id":"SNYK-JS-REQUEST-3361831","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Server-side Request Forgery (SSRF)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-GOT-2932019","issue_id":"SNYK-JS-GOT-2932019","priority_score":484,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.4","score":270},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-HTTPCACHESEMANTICS-3248783","issue_id":"SNYK-JS-HTTPCACHESEMANTICS-3248783","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TAR-6476909","issue_id":"SNYK-JS-TAR-6476909","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Uncontrolled Resource Consumption ('Resource Exhaustion')"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TOUGHCOOKIE-5672873","issue_id":"SNYK-JS-TOUGHCOOKIE-5672873","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Prototype Pollution"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-COOKIEJAR-3149984","issue_id":"SNYK-JS-COOKIEJAR-3149984","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-EXPRESS-6474509","issue_id":"SNYK-JS-EXPRESS-6474509","priority_score":519,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.1","score":305},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-EXPRESS-7926867","issue_id":"SNYK-JS-EXPRESS-7926867","priority_score":541,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.1","score":255},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Cross-site Scripting"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-SEND-7926862","issue_id":"SNYK-JS-SEND-7926862","priority_score":391,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"2.1","score":105},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Cross-site Scripting"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-SERVESTATIC-7926865","issue_id":"SNYK-JS-SERVESTATIC-7926865","priority_score":391,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"2.1","score":105},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Cross-site Scripting"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-WEB3-174533","issue_id":"SNYK-JS-WEB3-174533","priority_score":379,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"3.3","score":165},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Insecure Credential Storage"}],"prId":"37f9925a-c885-427c-8519-b062f9e2dadf","prPublicId":"37f9925a-c885-427c-8519-b062f9e2dadf","packageManager":"npm","priorityScoreList":[696,696,589,696,586,484,738,646,586,646,646,586,519,541,391,391,379],"projectPublicId":"c8db6975-f9ad-4b1f-b5e8-94654e147c9d","projectUrl":"https://app.snyk.io/org/muisance/project/c8db6975-f9ad-4b1f-b5e8-94654e147c9d?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-BODYPARSER-7926860","SNYK-JS-WS-7266574","SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-ES5EXT-6095076","SNYK-JS-WS-1296835","SNYK-JS-GOT-2932019","SNYK-JS-PATHTOREGEXP-7925106","SNYK-JS-REQUEST-3361831","SNYK-JS-GOT-2932019","SNYK-JS-HTTPCACHESEMANTICS-3248783","SNYK-JS-TAR-6476909","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-COOKIEJAR-3149984","SNYK-JS-EXPRESS-6474509","SNYK-JS-EXPRESS-7926867","SNYK-JS-SEND-7926862","SNYK-JS-SERVESTATIC-7926865","SNYK-JS-WEB3-174533"],"upgradeInfo":{"versionsDiff":24,"publishedDate":"2024-08-29T04:37:55.789Z"},"vulns":["SNYK-JS-BODYPARSER-7926860","SNYK-JS-WS-7266574","SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-ES5EXT-6095076","SNYK-JS-WS-1296835","SNYK-JS-GOT-2932019","SNYK-JS-PATHTOREGEXP-7925106","SNYK-JS-REQUEST-3361831","SNYK-JS-GOT-2932019","SNYK-JS-HTTPCACHESEMANTICS-3248783","SNYK-JS-TAR-6476909","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-COOKIEJAR-3149984","SNYK-JS-EXPRESS-6474509","SNYK-JS-EXPRESS-7926867","SNYK-JS-SEND-7926862","SNYK-JS-SERVESTATIC-7926865","SNYK-JS-WEB3-174533"]}'

Snyk has created this PR to upgrade solidity-coverage from 0.7.21 to 0.8.13.

See this package in npm:
solidity-coverage

See this project in Snyk:
https://app.snyk.io/org/muisance/project/c8db6975-f9ad-4b1f-b5e8-94654e147c9d?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

vercel bot commented Sep 29, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
excalibur ❌ Failed (Inspect) Sep 29, 2024 5:47pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants