[Snyk] Fix for 19 vulnerabilities

[Matthelonianxl]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eth-json-rpc-infura

The new version differs by 23 commits.

• 2d38ad6 5.1.0 (Make nonce/gas/gasPrice lookups optional in hooked-wallet MetaMask/web3-provider-engine#41)
• 69b3d37 json-rpc-engine@5.3.0, eth-json-rpc-middleware@6.0.0 (Implement hooked-wallet-ethtx to support signing with ethereumjs-tx MetaMask/web3-provider-engine#40)
• 1d44f59 Bump node-fetch from 2.6.0 to 2.6.1 (Zen and the art of provider engine maintenance  MetaMask/web3-provider-engine#39)
• 866c28e v5.0.0 (DB Provider MetaMask/web3-provider-engine#36)
• 978f76c Update package metadata (Use runCall() instead of runTx() in the VMSubprovider MetaMask/web3-provider-engine#38)
• b305099 Remove Babel (VM Subprovider Squelching errors MetaMask/web3-provider-engine#37)
• 80560f3 Use Infura API v3 (wallet subp - track pending nonce MetaMask/web3-provider-engine#32)
• 34d0cd2 Add files pattern to package.json
• 303036f Fix CHANGELOG.md links
• 5ed7f89 v4.1.0 (refactor - provider-subprovider parity MetaMask/web3-provider-engine#31)
• 24a1d0e Use shared ESLint config (Double announce of block MetaMask/web3-provider-engine#30)
• f2c3929 Use node-fetch in place of cross-fetch (cache - address blockchain reorgs MetaMask/web3-provider-engine#29)
• bafc9ef Use eth-rpc-errors@3.0.0 (Caching - handle in-flight caching MetaMask/web3-provider-engine#28)
• b0407f8 Use eth-json-rpc-middleware@4.4.1 ([Snyk] Security upgrade eth-json-rpc-filters from 4.1.0 to 5.1.0 #15)
• 8d0588c Add CODEOWNERS file (strategy and api for sync method support MetaMask/web3-provider-engine#26)
• f7d4c1a Add nvmrc and CircleCI config (filter race condition MetaMask/web3-provider-engine#27)
• c6d0080 yarn import (cache - dont cache old data MetaMask/web3-provider-engine#25)
• 68603e0 Add LICENSE file ([Snyk] Fix for 3 vulnerabilities #23)
• 77df395 Bump elliptic from 6.5.0 to 6.5.3 ([Snyk] Fix for 1 vulnerabilities #22)
• 5ceb8f9 Bump lodash from 4.17.15 to 4.17.19 ([Snyk] Fix for 1 vulnerabilities #20)
• c1b1550 Bump minimist from 1.2.0 to 1.2.5 ([Snyk] Fix for 6 vulnerabilities #16)
• d452be3 4.0.2
• 43c7349 deps - move tape to devDeps

See the full diff

Package name: eth-sig-util

The new version differs by 115 commits.

• 8c6112f v3.0.1 (Add specific error message for gateway timeouts MetaMask/web3-provider-engine#129)
• fc66710 Add changelog (support signTransaction and javascript development with bower MetaMask/web3-provider-engine#128)
• 980d9be Update minimum `tweetnacl` to latest version (add eth_listTransactions MetaMask/web3-provider-engine#123)
• 3d96bb1 Standardize TypeScript and lint configuration (Support React Native MetaMask/web3-provider-engine#111)
• 58559ac Migrate from deprecated `sha3` method to `keccak` (Fix personal recover MetaMask/web3-provider-engine#118)
• a655842 Remove unused dependencies (Add react native support MetaMask/web3-provider-engine#117)
• c7e7bac Switch from `smokestack` to `airtap` (Nonce does not increment MetaMask/web3-provider-engine#115)
• e63bccd Remove `utils/eccrypto-lite` (Coerce addreses to lower case before storing in nonceCache object MetaMask/web3-provider-engine#116)
• 99d4762 Bump ethereumjs-abi (ethereumjs-vm constructor problem with 'null' parameter MetaMask/web3-provider-engine#96)
• 4f0b3e1 3.0.0 (Estimate gas oog MetaMask/web3-provider-engine#108)
• 9f281f0 Add CODEOWNERS file (update ethereumjs-tx version to 1.2.0 MetaMask/web3-provider-engine#103)
• 42c2133 Use bl@4.0.3 (this.provider.sendAsync is not a function MetaMask/web3-provider-engine#102)
• 440a015 Bump elliptic from 6.5.2 to 6.5.3 (Add cache subprovider test MetaMask/web3-provider-engine#101)
• 39c70b3 Bump lodash from 4.17.15 to 4.17.19 (fix cb/end typo MetaMask/web3-provider-engine#99)
• 5e738a8 Update minimist and node-uuid (getCompilers 'cb is not defined' MetaMask/web3-provider-engine#98)
• ce46a36 Remove outdated docs from README (rename receiptRoot to receiptsRoot MetaMask/web3-provider-engine#97)
• 217dd83 Use typescript@3.9.2 (nonce-tracker MetaMask/web3-provider-engine#95)
• ad73314 Add LICENSE file (Update dependencies to enable Greenkeeper 🌴 MetaMask/web3-provider-engine#94)
• 5571f24 Update README.md (use ethereumjs-tx 1.1.3 MetaMask/web3-provider-engine#93)
• 3725c46 Update package.json script entries to use Yarn (Better error handling MetaMask/web3-provider-engine#92)
• 7c0ba6a Use typescript@3.8.3 (added bubbling to hooked wallet for idmgmt layers MetaMask/web3-provider-engine#91)
• 4db1e3d Add recoverTypedSignature_V4 docs (Fix log sanitization MetaMask/web3-provider-engine#90)
• 07fadb3 ci - test against multiple node versions (Fix log sanitization MetaMask/web3-provider-engine#89)
• 11bfc03 Update mkdirp and minimist (Simplify hooked wallet subprovider MetaMask/web3-provider-engine#87)

See the full diff

Package name: ethereumjs-block

The new version differs by 47 commits.

• 128069d Bumped version to v2.2.2, added CHANGELOG entry
• bd2a98e Fixed Travis xvfb issue, added Node 10 and 12
• 2675349 Adds difficulty bomb delay for Muir Glacier hard fork
• 7d34c54 Adding difficulty tests from ethereum/tests
• 30bf607 Bump version to v2.2.1, prepare changelog
• 58ed0a9 Update ethereumjs-tx to v2.1.1
• c5dcbbc Merge pull request subp - hooked wallet - autofail if tx.from doesnt match MetaMask/web3-provider-engine#66 from ethereumjs/remove-tests-from-dist
• c899dc0 Limit the files included in the package to main directory js files, post-added to v2.2.0 release from Adding tests for etherscan MetaMask/web3-provider-engine#65
• b8a3fbf Merge pull request Adding tests for etherscan MetaMask/web3-provider-engine#65 from ethereumjs/new-release-v220
• 49fe4c4 Bumped version to v2.2.0, added CHANGELOG entry
• 97ff421 Merge pull request Add 0x prefix to the LogFilter.address MetaMask/web3-provider-engine#64 from ethereumjs/update-ethereumjs-common-version
• 9dbb00b Update to ethereumjs-common v1.1.0
• 69c73b1 Merge pull request add network option for EtherScan subprovider MetaMask/web3-provider-engine#62 from nicholasjpaterno/master
• a323580 Update index.js error messages
• f8dbba1 Merge pull request Enable homestead featureset in the vm subprovider. MetaMask/web3-provider-engine#61 from ethereumjs/remove-ethereumjs-testing
• d61da4b Remove ethereumjs-testing dependency
• f255f80 Merge pull request "Emulate"/"Substitute" provider MetaMask/web3-provider-engine#60 from whymarrh/buffer-from
• 635682c Replace uses of deprecated `new Buffer` with Buffer.from
• 316968a Merge pull request Add two methods to etherscan subprovider MetaMask/web3-provider-engine#59 from ethereumjs/new-release-v210
• 7019144 Bumped version to v2.1.0, added CHANGELOG entry
• ed4e13e Merge pull request Add new methods to Etherscan MetaMask/web3-provider-engine#57 from ethereumjs/update-chain-tests
• fd59696 Merge branch 'master' into update-chain-tests
• fce008d Merge pull request Support POST method for Etherscan.io MetaMask/web3-provider-engine#54 from alextsg/eip1234
• 3156050 Update chain test data

See the full diff

Package name: ethereumjs-tx

The new version differs by 153 commits.

• a8da65a Merge pull request Hooked Wallet - add support for parity methods MetaMask/web3-provider-engine#190 from ethereumjs/update-common-and-new-release
• 6f8f14a Bumped version to v2.1.2, added CHANGELOG entry, updated README
• 3da414e Updated ethereumjs-common to v1.5.0 (MuirGlacier support)
• ba4ef9a Merge pull request Filters - LogFilter coerces a valid block of 0 to "latest" MetaMask/web3-provider-engine#188 from ryanio/fixTests
• 0b0606e fix test runner by putting tx rlp toBuffer call in try catch block to catch malformed data error
• 2df0cf3 Merge pull request Improve sender validation for hooked-wallet-subprovider MetaMask/web3-provider-engine#187 from ethereumjs/runActionsOnPR
• 5642c73 run gh actions on pr
• 0892118 Merge pull request Remove solc subprovider MetaMask/web3-provider-engine#186 from ethereumjs/github-actions
• 8bf127f use firefox headless
• 3363b72 Merge branch 'master' into github-actions
• 5ffc8ad Merge pull request engine.start() does not work properly on AWS Lambda MetaMask/web3-provider-engine#185 from ryanio/fixTestUtil
• 3c1dd20 fix lint
• 3f22980 fix failing test
• 8264d53 add github actions
• f4cd11f Merge pull request Add Greenkeeper badge 🌴 MetaMask/web3-provider-engine#173 from ethereumjs/new-release-v211
• 8880d6b Bumped version to v2.1.1, added CHANGELOG and README entry
• ad75b65 Merge pull request Trouble using web3.getBalance() and similar functions MetaMask/web3-provider-engine#171 from ethereumjs/istanbul/eip-2028
• acce166 Merge branch 'master' into istanbul/eip-2028
• b7c782a Merge pull request Using the same account from different providers raises nonce error MetaMask/web3-provider-engine#172 from ethereumjs/travis-xvfb
• 0b43165 Fix travis xvfb service
• e0fe03d Add support for EIP-2028 for Istanbul
• 9a6324f Merge pull request Feature: Add personal_decryptMessage method. MetaMask/web3-provider-engine#168 from ethereumjs/new-release-2.1.0
• c33ff1f Add pacakge-lock.json to .gitignore
• 1f61d33 Remove package-lock.json

See the full diff

Package name: ethereumjs-vm

The new version differs by 250 commits.

• c1316fc docs: update
• c389bbb Merge pull request #739 from ethereumjs/vm/release-v4.2.0
• 40ae3cf vm: version bump to 4.2.0
• 7256b20 vm: adding bugfix commit
• 82fa4de vm: explicitly duplicate bignumbers on stack (#733)
• a1dad88 vm: v4.2.0 release notes
• 119808e Merge pull request #663 from ethereum-ts/kk/support-run-block-run-tx-opts
• 46a79d7 Merge branch 'master' into kk/support-run-block-run-tx-opts
• a39c785 Merge pull request #662 from rumkin/b/install-repo
• b5a0890 support in runBlock runTx options
• fef4a99 Fix installation issue. Update level package
• 1824cd0 Merge pull request #658 from ethereumjs/ts-node-api-tests
• 2eb3082 running API tests with ts-node
• 599c2f4 Merge pull request #656 from ethereumjs/fix-autolabeler
• 8b26cfb Merge branch 'master' into fix-autolabeler
• 9e7dc98 Merge pull request #654 from ethereumjs/run-tests-ts
• 85bc0ee Merge branch 'master' into run-tests-ts
• 4671270 Update labeler.yml
• 15dabb7 Merge pull request #653 from ethereumjs/addAPIStateManagerTestsToKarma
• 32f6962 Adding back the stack size variable, in the new format
• 16ed4dc Updating docs pointing ts-node changes
• 301d831 Making necessary changes to test runners for ts-node
• 17672a3 Adding ts-node to some npm scripts
• b52d633 Renaming build:dist to build, for consistency

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Cryptographic Issues
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn