Installing latest web3 version 1.3.5 on Ubuntu with npm version 7.12.0 fails with a couple of high severity errors. What is typical time-frame for a fix?
underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution - https://npmjs.com/advisories/1674\ No fix available
node_modules/underscore
..web3-bzz <=1.3.5
..Depends on vulnerable versions of underscore
..node_modules/web3-bzz
....web3 *
....Depends on vulnerable versions of web3-bzz
....Depends on vulnerable versions of web3-eth
....node_modules/web3
..web3-core-helpers *
..Depends on vulnerable versions of underscore
..node_modules/web3-core-helpers
....web3-eth-ens *
....Depends on vulnerable versions of underscore
....Depends on vulnerable versions of web3-core-helpers
....node_modules/web3-eth-ens
......web3-eth *
......Depends on vulnerable versions of underscore
......Depends on vulnerable versions of web3-eth-ens
......node_modules/web3-eth
....web3-providers-http *
....Depends on vulnerable versions of web3-core-helpers
....node_modules/web3-providers-http
..web3-core-method *
..Depends on vulnerable versions of underscore
..node_modules/web3-core-method
....web3-core *
....Depends on vulnerable versions of web3-core-method
....node_modules/web3-core
....web3-eth-personal *
....Depends on vulnerable versions of web3-core-method
....Depends on vulnerable versions of web3-net
....node_modules/web3-eth-personal
....web3-net <=1.0.0-beta.55 || >=1.2.0
....Depends on vulnerable versions of web3-core-method
....node_modules/web3-net
......web3-shh <=1.3.5
......Depends on vulnerable versions of web3-core-method
......Depends on vulnerable versions of web3-net
......node_modules/web3-shh
..web3-core-requestmanager *
..Depends on vulnerable versions of underscore
..node_modules/web3-core-requestmanager
..web3-core-subscriptions *
..Depends on vulnerable versions of underscore
..node_modules/web3-core-subscriptions
..web3-eth-abi *
..Depends on vulnerable versions of underscore
..node_modules/web3-eth-abi
..web3-eth-accounts *
..Depends on vulnerable versions of underscore
..node_modules/web3-eth-accounts
..web3-eth-contract *
..Depends on vulnerable versions of underscore
..node_modules/web3-eth-contract
..web3-providers-ipc *
..Depends on vulnerable versions of underscore
..node_modules/web3-providers-ipc
..web3-providers-ws *
..Depends on vulnerable versions of underscore
..node_modules/web3-providers-ws
..web3-utils >=1.0.0-beta.8
..Depends on vulnerable versions of underscore
..node_modules/web3-utils
....web3-eth-iban *
....Depends on vulnerable versions of web3-utils
....node_modules/web3-eth-iban
web3 *
Severity: high
Insecure Credential Storage - https://npmjs.com/advisories/877\ Depends on vulnerable versions of web3-bzz
Depends on vulnerable versions of web3-eth
No fix available
node_modules/web3
21 high severity vulnerabilities\
We run npm ci && npm audit --audit-level=high in our project's CI pipeline and we have encountered this underscore issue today.
There's already the GitHub issue about it:
We are now waiting for new release (patch). Before that a quick fix and a possible solution would be to search for underscore in your package-lock.json and to manually update underscore version there, because npm audit fix won't fix it automatically.
We had 1.9.1 version used and updated to 1.12.1 (which is listed in audit log as a stable one). Kindly change these lines for every underscore's occurrence:
1.9.1 => 1.12.1;https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz => https://registry.npmjs.org/underscore/-/underscore-1.12.1.tgz;sha512-5/4etnCkd9c8gwgowi5/om/mYO5ajCaOgdzj/oW+0eQV9WxKBDZw5+ycmKmeaTXjInS/W0BzpGLo2xR2aBwZdg== => sha512-hEQt0+ZLDVUMhebKxL4x1BTtDY7bavVofhZ9KZ4aI26X9SRaE+Y3m83XUL1UP2jn8ynjndwCCpEHdUG+9pP1Tw==.This way npm ci will get versions from package-lock.json and no error will occur. But npm install will ignore it...
Here's a difference between these 2 commands if needed: Difference between npm install and npm ci
UPDATE
Also you can use npm-force-resolutions package in order to set the specific version of underscore package:
"resolutions": { "underscore": "1.12.1" } to your package.json;npm install starts: "scripts": { "preinstall": "npx npm-force-resolutions" };npm install or npx npm-force-resolutions and see your changes in package-lock.json. Also npm audit won't find those vulnerabilities.FINAL UPDATE
web3@1.3.6 with all fixes is available, you can update your local package.