chore(deps): update dependency web3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
web3	1.8.1 -> 1.8.2
web3	1.3.6 -> 1.5.3

---

Insecure Credential Storage in web3

GHSA-27v7-qhfv-rqq8

More information

Details

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Severity

• CVSS Score: 3.3 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/ethereum/web3.js/issues/2739
• https://github.com/ethereum/web3.js
• https://snyk.io/vuln/SNYK-JS-WEB3-174533
• https://www.npmjs.com/advisories/877

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ChainSafe/web3.js (web3)

v1.8.2

Compare Source

Changed

• Updated Webpack 4 to Webpack 5, more details at (#​5629)
• crypto-browserify module is now used only in webpack builds for polyfilling browsers (#​5629)
• Updated ethereumjs-util to 7.1.5 (#​5629)
• Updated lerna 4 to version 6 (#​5680)
• Bump utils 0.12.0 to 0.12.5 (#​5691)

Fixed

• Fixed types for web3.utils._jsonInterfaceMethodToString (#​5550)
• Fixed Next.js builds failing on Node.js v16, Abortcontroller added if it doesn't exist globally (#​5601)
• Builds fixed by updating all typescript versions to 4.1 (#​5675)

Removed

• clean-webpack-plugin has been removed from dev-dependencies (#​5629)

Added

• https-browserify, process, stream-browserify, stream-http, crypto-browserify added to dev-dependencies for polyfilling (#​5629)
• Add readable-stream to dev-dependancies for webpack (#​5629)

Security

• npm audit fix for libraries update (#​5726)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
react-celo	❌ Failed (Inspect)			Oct 10, 2024 2:29am

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/web3@1.5.3	Transitive: environment, eval, filesystem, network, shell, unsafe	+159	23.9 MB	spacesailor

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎