This repository has been archived by the owner on Oct 14, 2021. It is now read-only.
Could you help remove the vulnerabilities in your package? #26
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
Issue
1 vulnerabilities (medium severity) are introduced in @pancakeswap-libs/pancake-swap-core:
Vulnerability CVE-2021-23358 (medium severity) is detected in package underscore (versions: >=1.3.2 <1.12.1,>=1.13.0-0 <1.13.0-2): https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
The above vulnerable package is referenced by @pancakeswap-libs/pancake-swap-core via:
@pancakeswap-libs/pancake-swap-core@0.1.0 ➔ truffle-hdwallet-provider@1.0.17 ➔ web3@1.2.1 ➔ web3-bzz@1.2.1 ➔ underscore@1.9.1Solution
Since @pancakeswap-libs/pancake-swap-core@0.1.* is transitively referenced by 156 downstream projects (e.g., @gravis.finance/uikit 1.1.74 (latest version),
@pancakeswap-libs/sdk-v2 2.2.0 (latest version), kccswap-sdk 0.0.6 (latest version), @gravis.finance/sdk 1.0.9 (latest version), definixswap-sdk 0.0.10-klaytn (latest version),
If @pancakeswap-libs/pancake-swap-core@0.1.* removes the vulnerable packages from the above version, then its fixed version can help downstream users decrease their pain.
Could you help update packages in this version?
Fixing suggestions
In @pancakeswap-libs/pancake-swap-core@0.1.*, you can kindly perform the following upgrades (not crossing their major versions):
truffle-hdwallet-provider ^1.0.17 ➔ 1.0.15;Note:
ruffle-hdwallet-provider 1.0.15 transitively depends on underscore@1.12.1 (a vulnerability CVE-2018-1109 patched version)
Thanks for your contributions to the npm ecosystem!
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: