Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: fix node dependency security issue #1999

Merged
merged 1 commit into from
Feb 3, 2025
Merged

chore: fix node dependency security issue #1999

merged 1 commit into from
Feb 3, 2025
+62 −32

Conversation

gabriel-aranha-cw
Copy link
Contributor

@gabriel-aranha-cw gabriel-aranha-cw commented Feb 3, 2025
edited by github-actions bot
Loading

User description

Fixes:
https://github.com/cloudwalk/stratus/security/dependabot/69
https://github.com/cloudwalk/stratus/security/dependabot/68
https://github.com/cloudwalk/stratus/security/dependabot/67
https://github.com/cloudwalk/stratus/security/dependabot/66

PR Type

Enhancement, Bug fix

Description

  • Update undici to version 6.21.1

  • Remove outdated undici dependencies

  • Add undici as direct devDependency

  • Resolve security vulnerabilities in node dependencies

Changes walkthrough 📝

Relevant files
Dependencies
package-lock.json
Update undici and related dependencies                                     

e2e/cloudwalk-contracts/integration/package-lock.json

  • Updated undici to version 6.21.1
  • Removed outdated undici dependencies
  • Added undici as a direct devDependency
  • Updated related package versions
    		• +30/-16 
    package.json
    Add undici as devDependency                                                           

    e2e/cloudwalk-contracts/integration/package.json

    • Added undici version 6.21.1 as a devDependency
    		 +1/-0     
    package-lock.json
    Update undici and related dependencies                                     

    e2e/package-lock.json

  • Updated undici to version 6.21.1
  • Removed outdated undici dependencies
  • Added undici as a direct devDependency
  • Updated related package versions
    		• +30/-16 
    package.json
    Add undici as devDependency                                                           

    e2e/package.json

    • Added undici version 6.21.1 as a devDependency
    		 +1/-0     
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    •

    @gabriel-aranha-cw gabriel-aranha-cw changed the title chore: fix node security issue chore: fix node dependency security issue Feb 3, 2025
    @github-actions GitHub Actions
    Copy link

    github-actions bot commented Feb 3, 2025
    edited
    Loading

    PR Reviewer Guide 🔍

    (Review updated until commit 0fe4417)

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Dependency Version Mismatch

    There are multiple versions of undici being used across different dependencies. This could lead to potential compatibility issues.

        "version": "5.28.5",
    "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
    "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
    "dev": true,
    "peer": true,
    "dependencies": {
        "@fastify/busboy": "^2.0.0"
    },
    "engines": {
        "node": ">=14.0"
    }
},

    @github-actions GitHub Actions
    Copy link

    github-actions bot commented Feb 3, 2025
    edited
    Loading

    PR Code Suggestions ✨

    Latest suggestions up to 0fe4417
    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Score
    General
    Align undici versions across dependencies

    Consider updating the undici version in the @nomicfoundation/hardhat-verify and
    hardhat dependencies to match the project-wide version (6.21.1) for consistency and
    to avoid potential conflicts.

    e2e/cloudwalk-contracts/integration/package-lock.json [1598-1610]

     "node_modules/@nomicfoundation/hardhat-verify/node_modules/undici": {
-    "version": "5.28.5",
-    "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
-    "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+    "version": "6.21.1",
+    "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.1.tgz",
+    "integrity": "sha512-q/1rj5D0/zayJB2FraXdaWxbhWiNKDvu8naDT2dl1yTlvJp4BLtOcp2a5BvgGNQpYYJzau7tf1WgKv3b+7mqpQ==",
     "dev": true,
     "peer": true,
-    "dependencies": {
-        "@fastify/busboy": "^2.0.0"
-    },
     "engines": {
-        "node": ">=14.0"
+        "node": ">=18.17"
     }
 },
    Suggestion importance[1-10]: 7

    Why: Updating the undici version for dependencies to match the project-wide version (6.21.1) improves consistency and reduces potential compatibility issues. This change is important for maintaining a coherent dependency structure.

    		7
    Synchronize undici versions across dependencies

    Update the undici version in the @nomicfoundation/hardhat-verify and hardhat
    dependencies to match the project-wide version (6.21.1) for consistency and to
    prevent potential compatibility issues.

    e2e/package-lock.json [1592-1604]

     "node_modules/@nomicfoundation/hardhat-verify/node_modules/undici": {
-    "version": "5.28.5",
-    "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
-    "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+    "version": "6.21.1",
+    "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.1.tgz",
+    "integrity": "sha512-q/1rj5D0/zayJB2FraXdaWxbhWiNKDvu8naDT2dl1yTlvJp4BLtOcp2a5BvgGNQpYYJzau7tf1WgKv3b+7mqpQ==",
     "dev": true,
     "peer": true,
-    "dependencies": {
-        "@fastify/busboy": "^2.0.0"
-    },
     "engines": {
-        "node": ">=14.0"
+        "node": ">=18.17"
     }
 },
    Suggestion importance[1-10]: 7

    Why: Updating the undici version in dependencies to match the project-wide version (6.21.1) enhances consistency and mitigates potential compatibility problems. This change is significant for maintaining a uniform dependency structure across the project.

    		7

    Previous suggestions

    Suggestions up to commit 0fe4417
    CategorySuggestion                                                                                                                                    Score
    Possible issue
    Standardize 'undici' version across dependencies

    Ensure that the 'undici' version is consistent across all dependencies to avoid
    potential conflicts. Currently, there are multiple versions (5.28.5 and 6.21.1)
    being used.

    e2e/cloudwalk-contracts/integration/package-lock.json [1598-1610]

     "node_modules/@nomicfoundation/hardhat-verify/node_modules/undici": {
-    "version": "5.28.5",
-    "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
-    "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+    "version": "6.21.1",
+    "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.1.tgz",
+    "integrity": "sha512-q/1rj5D0/zayJB2FraXdaWxbhWiNKDvu8naDT2dl1yTlvJp4BLtOcp2a5BvgGNQpYYJzau7tf1WgKv3b+7mqpQ==",
     "dev": true,
     "peer": true,
-    "dependencies": {
-        "@fastify/busboy": "^2.0.0"
-    },
     "engines": {
-        "node": ">=14.0"
+        "node": ">=18.17"
     }
 },
    Suggestion importance[1-10]: 7

    Why: Standardizing the 'undici' version across dependencies is important for maintaining consistency and avoiding potential conflicts. The suggestion correctly identifies the discrepancy between versions 5.28.5 and 6.21.1.

    		7

    @gabriel-aranha-cw gabriel-aranha-cw marked this pull request as ready for review February 3, 2025 14:18
    @github-actions GitHub Actions
    Copy link

    github-actions bot commented Feb 3, 2025

    Persistent review updated to latest commit 0fe4417

    @gabriel-aranha-cw gabriel-aranha-cw enabled auto-merge (squash) February 3, 2025 14:20
    @gabriel-aranha-cw gabriel-aranha-cw merged commit 3122472 into main Feb 3, 2025
    38 checks passed
    @gabriel-aranha-cw gabriel-aranha-cw deleted the sec-issues branch February 3, 2025 14:53
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @mayconamaroCW mayconamaroCW mayconamaroCW approved these changes

    Assignees
    No one assigned
    Labels
    None yet
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    2 participants
    @gabriel-aranha-cw @mayconamaroCW