Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Vulnerability from ethers v5.7.2 #8173

Open
samuel-kim-mesh opened this issue Oct 23, 2024 · 3 comments
Open

[Bug]: Vulnerability from ethers v5.7.2 #8173

samuel-kim-mesh opened this issue Oct 23, 2024 · 3 comments
Labels
bug Something isn't working libraries Impacts the Libraries triage In need of triage

Comments

@samuel-kim-mesh
Copy link

Impacted Library name

@ledgerhq/hw-app-eth

Impacted Library version

10.5.0 (using yarn 1.22.21)

Describe the bug

@ledgerhq/hw-app-eth has dependency on @ledgerhq/evm-tools which has a dependency on @ethers (v5.7.2). Ethers v5.7.2 has a known security vulnerability due to its ws package. ethers-io/ethers.js#4791. ws package can be resolved by upgrading to version >= 8.17.1 and was actually addressed in ethers versions >= 6.
Can we upgrade dependency for ethers to v6 or greater to address this vulnerability?

Expected behavior

Upgrade to ethers v6 or greater to address ws vulnerability.

Additional context

DoS vulnerability caused by ws dependency on ethers v5

@samuel-kim-mesh samuel-kim-mesh added bug Something isn't working libraries Impacts the Libraries triage In need of triage labels Oct 23, 2024
@surfaceflinger
Copy link

they won't care unless you'll keep bumping the issue so that the stale bot won't close it, don't forget to insult them every few bumps

@samuel-kim-mesh
Copy link
Author

Bump please take a look here! This is a big security vulnerability.

@samuel-kim-mesh
Copy link
Author

One more time BUMP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working libraries Impacts the Libraries triage In need of triage
Projects
None yet
Development

No branches or pull requests

2 participants