[Bug]: Vulnerability from ethers v5.7.2

Question

[Bug]: Vulnerability from ethers v5.7.2

Closed this issue 24 days ago · 5 comments

samuel-kim-mesh commented 3 months ago

Impacted Library name

@ledgerhq/hw-app-eth

Impacted Library version

10.5.0 (using yarn 1.22.21)

Describe the bug

@ledgerhq/hw-app-eth has dependency on @ledgerhq/evm-tools which has a dependency on @ethers (v5.7.2). Ethers v5.7.2 has a known security vulnerability due to its ws package. ethers-io/ethers.js#4791. ws package can be resolved by upgrading to version >= 8.17.1 and was actually addressed in ethers versions >= 6.
Can we upgrade dependency for ethers to v6 or greater to address this vulnerability?

Expected behavior

Upgrade to ethers v6 or greater to address ws vulnerability.

Additional context

DoS vulnerability caused by ws dependency on ethers v5

surfaceflinger commented 24 days ago

bro lost

Answer 1 · 2024-10-26T15:20:32.000Z

they won't care unless you'll keep bumping the issue so that the stale bot won't close it, don't forget to insult them every few bumps

Answer 2 · 2024-10-28T16:32:42.000Z

Bump please take a look here! This is a big security vulnerability.

Answer 3 · 2024-11-19T23:42:11.000Z

One more time BUMP

Answer 4 · 2024-12-20T04:27:01.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.