fix(deps): remove @umpirsky/country-list malware; harden provision-keep-client#3905
Open
piotr-roslaniec wants to merge 4 commits into
Open
fix(deps): remove @umpirsky/country-list malware; harden provision-keep-client#3905piotr-roslaniec wants to merge 4 commits into
piotr-roslaniec wants to merge 4 commits into
Conversation
- Upgrade @celo/contractkit 1.0.1 → 10.0.3 (removes @umpirsky/country-list malware) - Add npm overrides for elliptic >=6.5.7 (GHSA-vjh7-7g9h-fjfh) - Add npm overrides for @babel/traverse >=7.23.2 (GHSA-8hfj-j24r-ancp) - Add npm overrides for async >=2.6.4 (CVE-2021-43138) - Add npm overrides for 30+ other vulnerable transitive dependencies - Create .npmrc with audit-level=moderate - Document all fixes in SECURITY-FIXES.md Verified: elliptic 6.6.1, @babel/traverse 7.29.0, async 2.6.4 installed Tests: 74 core tests passing, contracts compile successfully Closes: ENG-630
- Add eslint-plugin-no-only-tests to devDependencies - Change js-yaml override from ^4.1.0 to ^3.14.0 for eslint 6.x compatibility - Update package-lock files This achieves 0 critical/high vulnerabilities per npm audit.
piotr-roslaniec
force-pushed
the
eng-630/security-fixes
branch
from
ee302e3 to
6c8cd6b
Compare
The audit-level=moderate setting did not behave as the comment claimed (it does not suppress critical/high) and the file referenced the removed SECURITY-FIXES.md. Drop it entirely.
piotr-roslaniec
force-pushed
the
eng-630/security-fixes
branch
from
6c8cd6b to
0219b74
Compare
piotr-roslaniec
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two unique-value security fixes that main does not currently have:
@umpirsky/country-listmalware fromsolidity-v1by upgrading@celo/contractkit1.0.1 → 10.0.3. Main still ships this package (7 references insolidity-v1/package-lock.jsonon main as of this PR).provision-keep-clientinit container. Main has zero overrides on this file; this PR adds 34, covering elliptic, @babel/traverse, axios, async, ws, tar, body-parser, cookie, qs, send, path-to-regexp, serialize-javascript, etc.Also adds defense-in-depth overrides to
solidity-v1beyond the two (http-cache-semantics,get-func-name) already on main from #61a58d777.Context
solidity-v1/is marked legacy and preserved-for-reference (per its README, updated 2026-05-06), but the malware path still resolves in its lockfile and the upgrade is the cleanest fix.provision-keep-clientis a Kubernetes init container last touched 2023-02 but presumably still deployed; it had no security override coverage at all.Changes
solidity-v1/package.json@celo/contractkit1.0.1 → 10.0.3; add 31 npm overrides; addeslint-plugin-no-only-tests(required for the lint pass); pinjs-yamlto ^3.14.0 for eslint 6.x compatsolidity-v1/package-lock.json@umpirsky/country-listno longer resolvedprovision-keep-client/package.jsonprovision-keep-client/package-lock.jsonVerification
@umpirsky/country-listreferences insolidity-v1/package-lock.jsonNotes
npm auditwarnings come from legacy tooling (truffle, ganache, web3.js v1.x) where no upstream fix exists without a major modernization effort. Follow-up tracked separately.@celo/contractkitv1→v10 jump touches thealfajoresdeployment path insolidity-v1/truffle-config.js, which is not exercised in CI. The Celo testnet deployment is not part of regular workflows; flagging here so whoever next runs it knows to verify.Closes: ENG-630