You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jan 24, 2022. It is now read-only.
I believe the vulnerability does not affect Ethereum, since adding null-byte padding to the front of anything signed as RLP-data or as an EIP-191 payload, mangles the meaning of its representation.
$ npm i @openzeppelin/upgrades
...
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN upgrades@1.0.0 No description
npm WARN upgrades@1.0.0 No repository field.
+ @openzeppelin/upgrades@2.8.0
added 415 packages from 321 contributors and audited 415 packages in 32.604s
6 packages are looking for funding
run `npm fund` for details
found 564 vulnerabilities (1 low, 563 high)
run `npm audit fix` to fix them, or `npm audit` for details
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Signature Malleability │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ elliptic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=6.5.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @openzeppelin/upgrades > ethers > elliptic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1547 │
└───────────────┴──────────────────────────────────────────────────────────────┘
npm audit reports High vulnerability in @openzeppelin/upgrades@2.8.0 for dependency
ellipticNPM Advisory:
https://npmjs.com/advisories/1547
From ethers-io/ethers.js#985
Reported in the Community Forum: https://forum.openzeppelin.com/t/vulnerabilities-reported-when-installing-openzeppelin-upgrades-via-npm/3614