Untitled

 avatar
unknown
plain_text
2 years ago
41 kB
7
Indexable
npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit No fix available for @nomicfoundation/hardhat-toolbox@*
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @nomicfoundation/hardhat-toolbox@1.0.2
npm WARN Found: @types/mocha@10.0.1
npm WARN node_modules/@types/mocha
npm WARN   dev @types/mocha@"^10.0.1" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @types/mocha@"^9.1.0" from @nomicfoundation/hardhat-toolbox@1.0.2
npm WARN node_modules/@nomicfoundation/hardhat-toolbox
npm WARN   dev @nomicfoundation/hardhat-toolbox@"^1.0.2" from the root project 
npm WARN
npm WARN Conflicting peer dependency: @types/mocha@9.1.1
npm WARN node_modules/@types/mocha
npm WARN   peer @types/mocha@"^9.1.0" from @nomicfoundation/hardhat-toolbox@1.0.2
npm WARN   node_modules/@nomicfoundation/hardhat-toolbox
npm WARN     dev @nomicfoundation/hardhat-toolbox@"^1.0.2" from the root project
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain 
circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain 
circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain 
circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain 
circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

added 40 packages, removed 6 packages, changed 1 package, and audited 2030 packages in 18s

183 packages are looking for funding
  run `npm fund` for details

# npm audit report

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/async
  ganache-core  *
  Depends on vulnerable versions of async
  Depends on vulnerable versions of web3
  Depends on vulnerable versions of web3-provider-engine
  node_modules/ganache-core
    @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
    Depends on vulnerable versions of ganache-core
    node_modules/@ethereum-waffle/provider
      @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
      Depends on vulnerable versions of @ethereum-waffle/provider
      node_modules/@ethereum-waffle/chai
        ethereum-waffle  >=2.3.0-istanbul.0
        Depends on vulnerable versions of @ethereum-waffle/chai
        Depends on vulnerable versions of @ethereum-waffle/compiler
        Depends on vulnerable versions of @ethereum-waffle/provider
        node_modules/ethereum-waffle

cookiejar  <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/cookiejar

cross-fetch  <=2.2.5 || 3.0.0 - 3.1.4 || 3.2.0-alpha.0 - 3.2.0-alpha.2
Severity: high
Incorrect Authorization in cross-fetch - https://github.com/advisories/GHSA-7gc6-qh9x-w6h8
Depends on vulnerable versions of node-fetch
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/cross-fetch

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/decode-uri-component

elliptic  <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/elliptic
  @ethersproject/signing-key  <=5.0.9
  Depends on vulnerable versions of elliptic
  node_modules/ganache-core/node_modules/@ethersproject/signing-key

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
No fix available
node_modules/eth-gas-reporter/node_modules/flat
  yargs-unparser  <=1.6.3
  Depends on vulnerable versions of flat
  node_modules/eth-gas-reporter/node_modules/yargs-unparser
    mocha  5.1.0 - 9.2.1
    Depends on vulnerable versions of minimatch
    Depends on vulnerable versions of yargs-unparser
    node_modules/eth-gas-reporter/node_modules/mocha
      eth-gas-reporter  >=0.0.5
      Depends on vulnerable versions of mocha
      Depends on vulnerable versions of request
      node_modules/eth-gas-reporter
        hardhat-gas-reporter  *
        Depends on vulnerable versions of eth-gas-reporter
        node_modules/hardhat-gas-reporter
          @nomicfoundation/hardhat-toolbox  *
          Depends on vulnerable versions of hardhat-gas-reporter
          Depends on vulnerable versions of solidity-coverage
          node_modules/@nomicfoundation/hardhat-toolbox

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/ganache-core/node_modules/got
node_modules/ganache-core/node_modules/swarm-js/node_modules/got
node_modules/got
  swarm-js  0.1.1 - 0.1.17 || >=0.1.35
  Depends on vulnerable versions of eth-lib
  Depends on vulnerable versions of got
  node_modules/ganache-core/node_modules/swarm-js
  node_modules/swarm-js
    web3-bzz  *
    Depends on vulnerable versions of got
    Depends on vulnerable versions of swarm-js
    Depends on vulnerable versions of underscore
    node_modules/@truffle/interface-adapter/node_modules/web3-bzz
    node_modules/ganache-core/node_modules/web3-bzz
    node_modules/web3-bzz
      web3  <=3.0.0-rc.4
      Depends on vulnerable versions of web3-bzz
      Depends on vulnerable versions of web3-bzz
      Depends on vulnerable versions of web3-eth
      Depends on vulnerable versions of web3-shh
      node_modules/@truffle/interface-adapter/node_modules/web3
      node_modules/ganache-core/node_modules/web3
      node_modules/web3
        @truffle/interface-adapter  *
        Depends on vulnerable versions of web3
        node_modules/@truffle/interface-adapter
          @truffle/provider  *
          Depends on vulnerable versions of @truffle/interface-adapter
          Depends on vulnerable versions of web3
          node_modules/@truffle/provider
            solidity-coverage  0.7.0-beta.0 - 0.8.0-rc.test.0
            Depends on vulnerable versions of @truffle/provider
            node_modules/solidity-coverage
              @nomicfoundation/hardhat-toolbox  *
              Depends on vulnerable versions of hardhat-gas-reporter
              Depends on vulnerable versions of solidity-coverage
              node_modules/@nomicfoundation/hardhat-toolbox
        ganache-core  *
        Depends on vulnerable versions of async
        Depends on vulnerable versions of web3
        Depends on vulnerable versions of web3-provider-engine
        node_modules/ganache-core
          @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
          Depends on vulnerable versions of ganache-core
          node_modules/@ethereum-waffle/provider
            @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
            Depends on vulnerable versions of @ethereum-waffle/provider
            node_modules/@ethereum-waffle/chai
              ethereum-waffle  >=2.3.0-istanbul.0
              Depends on vulnerable versions of @ethereum-waffle/chai
              Depends on vulnerable versions of @ethereum-waffle/compiler
              Depends on vulnerable versions of @ethereum-waffle/provider
              node_modules/ethereum-waffle

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/http-cache-semantics

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/ganache-core/node_modules/jsprim

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/babel-core/node_modules/json5
  babel-core  5.8.20 - 7.0.0-beta.3
  Depends on vulnerable versions of babel-register
  Depends on vulnerable versions of json5
  node_modules/ganache-core/node_modules/babel-core
    babel-register  *
    Depends on vulnerable versions of babel-core
    node_modules/ganache-core/node_modules/babel-register
    babelify  7.0.0 - 7.3.0
    Depends on vulnerable versions of babel-core
    node_modules/ganache-core/node_modules/babelify
      json-rpc-engine  2.2.0 - 4.0.0
      Depends on vulnerable versions of babelify
      node_modules/ganache-core/node_modules/json-rpc-engine
        eth-block-tracker  2.3.0 - 3.0.1
        Depends on vulnerable versions of json-rpc-engine
        node_modules/ganache-core/node_modules/eth-block-tracker
          web3-provider-engine  *
          Depends on vulnerable versions of eth-block-tracker
          Depends on vulnerable versions of eth-json-rpc-infura
          Depends on vulnerable versions of request
          node_modules/ganache-core/node_modules/web3-provider-engine
            ganache-core  *
            Depends on vulnerable versions of async
            Depends on vulnerable versions of web3
            Depends on vulnerable versions of web3-provider-engine
            node_modules/ganache-core
              @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
              Depends on vulnerable versions of ganache-core
              node_modules/@ethereum-waffle/provider
                @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
                Depends on vulnerable versions of @ethereum-waffle/provider
                node_modules/@ethereum-waffle/chai
                  ethereum-waffle  >=2.3.0-istanbul.0
                  Depends on vulnerable versions of @ethereum-waffle/chai
                  Depends on vulnerable versions of @ethereum-waffle/compiler
                  Depends on vulnerable versions of @ethereum-waffle/provider
                  node_modules/ethereum-waffle
        eth-json-rpc-infura  <=5.0.0
        Depends on vulnerable versions of eth-json-rpc-middleware
        Depends on vulnerable versions of json-rpc-engine
        node_modules/ganache-core/node_modules/eth-json-rpc-infura
        eth-json-rpc-middleware  1.1.0 - 5.1.0
        Depends on vulnerable versions of eth-tx-summary
        Depends on vulnerable versions of ethereumjs-block
        Depends on vulnerable versions of fetch-ponyfill
        Depends on vulnerable versions of json-rpc-engine
        node_modules/ganache-core/node_modules/eth-json-rpc-middleware

lodash  <4.17.21
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/lodash

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
No fix available
node_modules/eth-gas-reporter/node_modules/minimatch
node_modules/ganache-core/node_modules/minimatch
  mocha  5.1.0 - 9.2.1
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of yargs-unparser
  node_modules/eth-gas-reporter/node_modules/mocha
    eth-gas-reporter  >=0.0.5
    Depends on vulnerable versions of mocha
    Depends on vulnerable versions of request
    node_modules/eth-gas-reporter
      hardhat-gas-reporter  *
      Depends on vulnerable versions of eth-gas-reporter
      node_modules/hardhat-gas-reporter
        @nomicfoundation/hardhat-toolbox  *
        Depends on vulnerable versions of hardhat-gas-reporter
        Depends on vulnerable versions of solidity-coverage
        node_modules/@nomicfoundation/hardhat-toolbox

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/minimist

node-fetch  <=2.6.6
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/fetch-ponyfill/node_modules/node-fetch
node_modules/ganache-core/node_modules/node-fetch
  cross-fetch  <=2.2.5 || 3.0.0 - 3.1.4 || 3.2.0-alpha.0 - 3.2.0-alpha.2
  Depends on vulnerable versions of node-fetch
  node_modules/ganache-core/node_modules/cross-fetch
  fetch-ponyfill  1.0.0 - 6.0.2
  Depends on vulnerable versions of node-fetch
  node_modules/ganache-core/node_modules/fetch-ponyfill
    eth-json-rpc-middleware  1.1.0 - 5.1.0
    Depends on vulnerable versions of eth-tx-summary
    Depends on vulnerable versions of ethereumjs-block
    Depends on vulnerable versions of fetch-ponyfill
    Depends on vulnerable versions of json-rpc-engine
    node_modules/ganache-core/node_modules/eth-json-rpc-middleware
      eth-json-rpc-infura  <=5.0.0
      Depends on vulnerable versions of eth-json-rpc-middleware
      Depends on vulnerable versions of json-rpc-engine
      node_modules/ganache-core/node_modules/eth-json-rpc-infura
        web3-provider-engine  *
        Depends on vulnerable versions of eth-block-tracker
        Depends on vulnerable versions of eth-json-rpc-infura
        Depends on vulnerable versions of request
        node_modules/ganache-core/node_modules/web3-provider-engine
          ganache-core  *
          Depends on vulnerable versions of async
          Depends on vulnerable versions of web3
          Depends on vulnerable versions of web3-provider-engine
          node_modules/ganache-core
            @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
            Depends on vulnerable versions of ganache-core
            node_modules/@ethereum-waffle/provider
              @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
              Depends on vulnerable versions of @ethereum-waffle/provider
              node_modules/@ethereum-waffle/chai
                ethereum-waffle  >=2.3.0-istanbul.0
                Depends on vulnerable versions of @ethereum-waffle/chai
                Depends on vulnerable versions of @ethereum-waffle/compiler
                Depends on vulnerable versions of @ethereum-waffle/provider
                node_modules/ethereum-waffle

normalize-url  4.3.0 - 4.5.0
Severity: high
ReDoS in normalize-url - https://github.com/advisories/GHSA-px4h-xg32-q955
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/normalize-url

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/path-parse

qs  6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/body-parser/node_modules/qs
node_modules/ganache-core/node_modules/express/node_modules/qs
node_modules/ganache-core/node_modules/qs
  body-parser  1.19.0
  Depends on vulnerable versions of qs
  node_modules/ganache-core/node_modules/body-parser
  express  4.17.0 - 4.17.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8
  Depends on vulnerable versions of qs
  node_modules/ganache-core/node_modules/express

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/ganache-core/node_modules/request
node_modules/request
  @resolver-engine/core  *
  Depends on vulnerable versions of request
  node_modules/@resolver-engine/core
    @resolver-engine/fs  *
    Depends on vulnerable versions of @resolver-engine/core
    node_modules/@resolver-engine/fs
    @resolver-engine/imports  *
    Depends on vulnerable versions of @resolver-engine/core
    node_modules/@resolver-engine/imports
      @ethereum-waffle/compiler  *
      Depends on vulnerable versions of @resolver-engine/imports
      node_modules/@ethereum-waffle/compiler
        ethereum-waffle  >=2.3.0-istanbul.0
        Depends on vulnerable versions of @ethereum-waffle/chai
        Depends on vulnerable versions of @ethereum-waffle/compiler
        Depends on vulnerable versions of @ethereum-waffle/provider
        node_modules/ethereum-waffle
      @resolver-engine/imports-fs  *
      Depends on vulnerable versions of @resolver-engine/imports
      node_modules/@resolver-engine/imports-fs
  eth-gas-reporter  >=0.0.5
  Depends on vulnerable versions of mocha
  Depends on vulnerable versions of request
  node_modules/eth-gas-reporter
    hardhat-gas-reporter  *
    Depends on vulnerable versions of eth-gas-reporter
    node_modules/hardhat-gas-reporter
      @nomicfoundation/hardhat-toolbox  *
      Depends on vulnerable versions of hardhat-gas-reporter
      Depends on vulnerable versions of solidity-coverage
      node_modules/@nomicfoundation/hardhat-toolbox
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native
  servify  *
  Depends on vulnerable versions of request
  node_modules/ganache-core/node_modules/servify
  node_modules/servify
    eth-lib  0.1.24 - 0.1.29
    Depends on vulnerable versions of servify
    node_modules/eth-lib
    node_modules/ganache-core/node_modules/eth-lib
      swarm-js  0.1.1 - 0.1.17 || >=0.1.35
      Depends on vulnerable versions of eth-lib
      Depends on vulnerable versions of got
      node_modules/ganache-core/node_modules/swarm-js
      node_modules/swarm-js
        web3-bzz  *
        Depends on vulnerable versions of got
        Depends on vulnerable versions of swarm-js
        Depends on vulnerable versions of underscore
        node_modules/@truffle/interface-adapter/node_modules/web3-bzz
        node_modules/ganache-core/node_modules/web3-bzz
        node_modules/web3-bzz
          web3  <=3.0.0-rc.4
          Depends on vulnerable versions of web3-bzz
          Depends on vulnerable versions of web3-bzz
          Depends on vulnerable versions of web3-eth
          Depends on vulnerable versions of web3-shh
          node_modules/@truffle/interface-adapter/node_modules/web3
          node_modules/ganache-core/node_modules/web3
          node_modules/web3
            @truffle/interface-adapter  *
            Depends on vulnerable versions of web3
            node_modules/@truffle/interface-adapter
              @truffle/provider  *
              Depends on vulnerable versions of @truffle/interface-adapter
              Depends on vulnerable versions of web3
              node_modules/@truffle/provider
                solidity-coverage  0.7.0-beta.0 - 0.8.0-rc.test.0
                Depends on vulnerable versions of @truffle/provider
                node_modules/solidity-coverage
            ganache-core  *
            Depends on vulnerable versions of async
            Depends on vulnerable versions of web3
            Depends on vulnerable versions of web3-provider-engine
            node_modules/ganache-core
              @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
              Depends on vulnerable versions of ganache-core
              node_modules/@ethereum-waffle/provider
                @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
                Depends on vulnerable versions of @ethereum-waffle/provider
                node_modules/@ethereum-waffle/chai
  web3-provider-engine  *
  Depends on vulnerable versions of eth-block-tracker
  Depends on vulnerable versions of eth-json-rpc-infura
  Depends on vulnerable versions of request
  node_modules/ganache-core/node_modules/web3-provider-engine

semver  <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/babel-preset-env/node_modules/semver
node_modules/ganache-core/node_modules/eth-json-rpc-middleware/node_modules/semver
node_modules/ganache-core/node_modules/eth-tx-summary/node_modules/semver
node_modules/ganache-core/node_modules/ethereumjs-block/node_modules/semver
node_modules/ganache-core/node_modules/ethereumjs-vm/node_modules/semver
node_modules/ganache-core/node_modules/patch-package/node_modules/semver
node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/semver
  levelup  0.9.0 - 1.3.9
  Depends on vulnerable versions of semver
  node_modules/ganache-core/node_modules/eth-json-rpc-middleware/node_modules/levelup
  node_modules/ganache-core/node_modules/eth-tx-summary/node_modules/levelup
  node_modules/ganache-core/node_modules/ethereumjs-block/node_modules/levelup
  node_modules/ganache-core/node_modules/ethereumjs-vm/node_modules/levelup
  node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/levelup
    merkle-patricia-tree  0.1.22 - 2.3.2
    Depends on vulnerable versions of levelup
    node_modules/ganache-core/node_modules/eth-json-rpc-middleware/node_modules/merkle-patricia-tree
    node_modules/ganache-core/node_modules/eth-tx-summary/node_modules/merkle-patricia-tree
    node_modules/ganache-core/node_modules/ethereumjs-block/node_modules/merkle-patricia-tree
    node_modules/ganache-core/node_modules/ethereumjs-vm/node_modules/merkle-patricia-tree
    node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/merkle-patricia-tree
      ethereumjs-block  >=0.0.3
      Depends on vulnerable versions of merkle-patricia-tree
      node_modules/ganache-core/node_modules/eth-json-rpc-middleware/node_modules/ethereumjs-block
      node_modules/ganache-core/node_modules/eth-json-rpc-middleware/node_modules/ethereumjs-vm/node_modules/ethereumjs-block
      node_modules/ganache-core/node_modules/eth-tx-summary/node_modules/ethereumjs-block
      node_modules/ganache-core/node_modules/eth-tx-summary/node_modules/ethereumjs-vm/node_modules/ethereumjs-block     
      node_modules/ganache-core/node_modules/ethereumjs-block
      node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/ethereumjs-block
      node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/ethereumjs-vm/node_modules/ethereumjs-block
        eth-json-rpc-middleware  1.1.0 - 5.1.0
        Depends on vulnerable versions of eth-tx-summary
        Depends on vulnerable versions of ethereumjs-block
        Depends on vulnerable versions of fetch-ponyfill
        Depends on vulnerable versions of json-rpc-engine
        node_modules/ganache-core/node_modules/eth-json-rpc-middleware
          eth-json-rpc-infura  <=5.0.0
          Depends on vulnerable versions of eth-json-rpc-middleware
          Depends on vulnerable versions of json-rpc-engine
          node_modules/ganache-core/node_modules/eth-json-rpc-infura
            web3-provider-engine  *
            Depends on vulnerable versions of eth-block-tracker
            Depends on vulnerable versions of eth-json-rpc-infura
            Depends on vulnerable versions of request
            node_modules/ganache-core/node_modules/web3-provider-engine
              ganache-core  *
              Depends on vulnerable versions of async
              Depends on vulnerable versions of web3
              Depends on vulnerable versions of web3-provider-engine
              node_modules/ganache-core
                @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
                Depends on vulnerable versions of ganache-core
                node_modules/@ethereum-waffle/provider
                  @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
                  Depends on vulnerable versions of @ethereum-waffle/provider
                  node_modules/@ethereum-waffle/chai
                    ethereum-waffle  >=2.3.0-istanbul.0
                    Depends on vulnerable versions of @ethereum-waffle/chai
                    Depends on vulnerable versions of @ethereum-waffle/compiler
                    Depends on vulnerable versions of @ethereum-waffle/provider
                    node_modules/ethereum-waffle
        eth-tx-summary  *
        Depends on vulnerable versions of ethereumjs-block
        node_modules/ganache-core/node_modules/eth-tx-summary
        ethereumjs-blockchain  *
        Depends on vulnerable versions of ethereumjs-block
        node_modules/ganache-core/node_modules/ethereumjs-blockchain
          ethereumjs-vm  >=0.1.1
          Depends on vulnerable versions of ethereumjs-block
          Depends on vulnerable versions of ethereumjs-blockchain
          Depends on vulnerable versions of merkle-patricia-tree
          node_modules/ganache-core/node_modules/eth-json-rpc-middleware/node_modules/ethereumjs-vm
          node_modules/ganache-core/node_modules/eth-tx-summary/node_modules/ethereumjs-vm
          node_modules/ganache-core/node_modules/ethereumjs-vm
          node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/ethereumjs-vm

simple-get  <2.8.2
Severity: high
Exposure of Sensitive Information in simple-get - https://github.com/advisories/GHSA-wpg7-2c88-r8xv
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/simple-get

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/ganache-core/node_modules/tough-cookie
node_modules/tough-cookie
  request  *
  Depends on vulnerable versions of tough-cookie
  node_modules/ganache-core/node_modules/request
  node_modules/request
    @resolver-engine/core  *
    Depends on vulnerable versions of request
    node_modules/@resolver-engine/core
      @resolver-engine/fs  *
      Depends on vulnerable versions of @resolver-engine/core
      node_modules/@resolver-engine/fs
      @resolver-engine/imports  *
      Depends on vulnerable versions of @resolver-engine/core
      node_modules/@resolver-engine/imports
        @ethereum-waffle/compiler  *
        Depends on vulnerable versions of @resolver-engine/imports
        node_modules/@ethereum-waffle/compiler
          ethereum-waffle  >=2.3.0-istanbul.0
          Depends on vulnerable versions of @ethereum-waffle/chai
          Depends on vulnerable versions of @ethereum-waffle/compiler
          Depends on vulnerable versions of @ethereum-waffle/provider
          node_modules/ethereum-waffle
        @resolver-engine/imports-fs  *
        Depends on vulnerable versions of @resolver-engine/imports
        node_modules/@resolver-engine/imports-fs
    eth-gas-reporter  >=0.0.5
    Depends on vulnerable versions of mocha
    Depends on vulnerable versions of request
    node_modules/eth-gas-reporter
      hardhat-gas-reporter  *
      Depends on vulnerable versions of eth-gas-reporter
      node_modules/hardhat-gas-reporter
        @nomicfoundation/hardhat-toolbox  *
        Depends on vulnerable versions of hardhat-gas-reporter
        Depends on vulnerable versions of solidity-coverage
        node_modules/@nomicfoundation/hardhat-toolbox
    request-promise-core  *
    Depends on vulnerable versions of request
    node_modules/request-promise-core
      request-promise-native  >=1.0.0
      Depends on vulnerable versions of request
      Depends on vulnerable versions of request-promise-core
      Depends on vulnerable versions of tough-cookie
      node_modules/request-promise-native
    servify  *
    Depends on vulnerable versions of request
    node_modules/ganache-core/node_modules/servify
    node_modules/servify
      eth-lib  0.1.24 - 0.1.29
      Depends on vulnerable versions of servify
      node_modules/eth-lib
      node_modules/ganache-core/node_modules/eth-lib
        swarm-js  0.1.1 - 0.1.17 || >=0.1.35
        Depends on vulnerable versions of eth-lib
        Depends on vulnerable versions of got
        node_modules/ganache-core/node_modules/swarm-js
        node_modules/swarm-js
          web3-bzz  *
          Depends on vulnerable versions of got
          Depends on vulnerable versions of swarm-js
          Depends on vulnerable versions of underscore
          node_modules/@truffle/interface-adapter/node_modules/web3-bzz
          node_modules/ganache-core/node_modules/web3-bzz
          node_modules/web3-bzz
            web3  <=3.0.0-rc.4
            Depends on vulnerable versions of web3-bzz
            Depends on vulnerable versions of web3-bzz
            Depends on vulnerable versions of web3-eth
            Depends on vulnerable versions of web3-shh
            node_modules/@truffle/interface-adapter/node_modules/web3
            node_modules/ganache-core/node_modules/web3
            node_modules/web3
              @truffle/interface-adapter  *
              Depends on vulnerable versions of web3
              node_modules/@truffle/interface-adapter
                @truffle/provider  *
                Depends on vulnerable versions of @truffle/interface-adapter
                Depends on vulnerable versions of web3
                node_modules/@truffle/provider
                  solidity-coverage  0.7.0-beta.0 - 0.8.0-rc.test.0
                  Depends on vulnerable versions of @truffle/provider
                  node_modules/solidity-coverage
              ganache-core  *
              Depends on vulnerable versions of async
              Depends on vulnerable versions of web3
              Depends on vulnerable versions of web3-provider-engine
              node_modules/ganache-core
                @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
                Depends on vulnerable versions of ganache-core
                node_modules/@ethereum-waffle/provider
                  @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
                  Depends on vulnerable versions of @ethereum-waffle/provider
                  node_modules/@ethereum-waffle/chai
    web3-provider-engine  *
    Depends on vulnerable versions of eth-block-tracker
    Depends on vulnerable versions of eth-json-rpc-infura
    Depends on vulnerable versions of request
    node_modules/ganache-core/node_modules/web3-provider-engine

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/ganache-core/node_modules/underscore
  web3-bzz  *
  Depends on vulnerable versions of got
  Depends on vulnerable versions of swarm-js
  Depends on vulnerable versions of underscore
  node_modules/@truffle/interface-adapter/node_modules/web3-bzz
  node_modules/ganache-core/node_modules/web3-bzz
  node_modules/web3-bzz
    web3  <=3.0.0-rc.4
    Depends on vulnerable versions of web3-bzz
    Depends on vulnerable versions of web3-bzz
    Depends on vulnerable versions of web3-eth
    Depends on vulnerable versions of web3-shh
    node_modules/@truffle/interface-adapter/node_modules/web3
    node_modules/ganache-core/node_modules/web3
    node_modules/web3
      @truffle/interface-adapter  *
      Depends on vulnerable versions of web3
      node_modules/@truffle/interface-adapter
        @truffle/provider  *
        Depends on vulnerable versions of @truffle/interface-adapter
        Depends on vulnerable versions of web3
        node_modules/@truffle/provider
          solidity-coverage  0.7.0-beta.0 - 0.8.0-rc.test.0
          Depends on vulnerable versions of @truffle/provider
          node_modules/solidity-coverage
            @nomicfoundation/hardhat-toolbox  *
            Depends on vulnerable versions of hardhat-gas-reporter
            Depends on vulnerable versions of solidity-coverage
            node_modules/@nomicfoundation/hardhat-toolbox
      ganache-core  *
      Depends on vulnerable versions of async
      Depends on vulnerable versions of web3
      Depends on vulnerable versions of web3-provider-engine
      node_modules/ganache-core
        @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
        Depends on vulnerable versions of ganache-core
        node_modules/@ethereum-waffle/provider
          @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
          Depends on vulnerable versions of @ethereum-waffle/provider
          node_modules/@ethereum-waffle/chai
            ethereum-waffle  >=2.3.0-istanbul.0
            Depends on vulnerable versions of @ethereum-waffle/chai
            Depends on vulnerable versions of @ethereum-waffle/compiler
            Depends on vulnerable versions of @ethereum-waffle/provider
            node_modules/ethereum-waffle
  web3-core-helpers  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
  Depends on vulnerable versions of underscore
  Depends on vulnerable versions of web3-utils
  node_modules/ganache-core/node_modules/web3-core-helpers
    web3-core  <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-core
      web3-eth-ens  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
      Depends on vulnerable versions of underscore
      Depends on vulnerable versions of web3-core
      Depends on vulnerable versions of web3-core-helpers
      node_modules/ganache-core/node_modules/web3-eth-ens
        web3-eth  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
        Depends on vulnerable versions of underscore
        Depends on vulnerable versions of web3-core-helpers
        Depends on vulnerable versions of web3-eth-ens
        node_modules/ganache-core/node_modules/web3-eth
    web3-core-method  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-core-method
      web3-net  1.2.0 - 1.3.5 || 2.0.0-alpha - 3.0.0-rc.4
      Depends on vulnerable versions of web3-core-method
      node_modules/ganache-core/node_modules/web3-net
        web3-eth-personal  <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4
        Depends on vulnerable versions of web3-core-helpers
        Depends on vulnerable versions of web3-net
        node_modules/ganache-core/node_modules/web3-eth-personal
        web3-shh  <=1.3.5
        Depends on vulnerable versions of web3-core-method
        Depends on vulnerable versions of web3-net
        node_modules/ganache-core/node_modules/web3-shh
    web3-core-subscriptions  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-core-subscriptions
    web3-eth-contract  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-eth-contract
    web3-providers-http  <=1.0.0 || 1.2.0 - 1.3.5 || 3.0.0-rc.0 - 3.0.0-rc.4
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-providers-http
    web3-providers-ipc  <=1.3.6-rc.2 || 3.0.0-rc.0 - 3.0.0-rc.5
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-providers-ipc
    web3-providers-ws  <=1.3.6-rc.2 || 3.0.0-rc.0 - 3.0.0-rc.4
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/ganache-core/node_modules/web3-providers-ws
  web3-core-requestmanager  <=1.3.5 || 3.0.0-rc.0 - 3.0.0-rc.4
  Depends on vulnerable versions of underscore
  node_modules/ganache-core/node_modules/web3-core-requestmanager
  web3-eth-abi  <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4
  Depends on vulnerable versions of underscore
  Depends on vulnerable versions of web3-utils
  node_modules/ganache-core/node_modules/web3-eth-abi
  web3-eth-accounts  <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4
  Depends on vulnerable versions of underscore
  node_modules/ganache-core/node_modules/web3-eth-accounts
  web3-utils  1.0.0-beta.8 - 1.3.5 || 2.0.0-alpha - 3.0.0-rc.4
  Depends on vulnerable versions of underscore
  node_modules/ganache-core/node_modules/web3-utils
    web3-eth-iban  <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4
    Depends on vulnerable versions of web3-utils
    node_modules/ganache-core/node_modules/web3-eth-iban

web3  <=3.0.0-rc.4
Severity: critical
Insecure Credential Storage in web3 - https://github.com/advisories/GHSA-27v7-qhfv-rqq8
Depends on vulnerable versions of web3-bzz
Depends on vulnerable versions of web3-bzz
Depends on vulnerable versions of web3-eth
Depends on vulnerable versions of web3-shh
No fix available
node_modules/@truffle/interface-adapter/node_modules/web3
node_modules/ganache-core/node_modules/web3
node_modules/web3
  @truffle/interface-adapter  *
  Depends on vulnerable versions of web3
  node_modules/@truffle/interface-adapter
    @truffle/provider  *
    Depends on vulnerable versions of @truffle/interface-adapter
    Depends on vulnerable versions of web3
    node_modules/@truffle/provider
      solidity-coverage  0.7.0-beta.0 - 0.8.0-rc.test.0
      Depends on vulnerable versions of @truffle/provider
      node_modules/solidity-coverage
        @nomicfoundation/hardhat-toolbox  *
        Depends on vulnerable versions of hardhat-gas-reporter
        Depends on vulnerable versions of solidity-coverage
        node_modules/@nomicfoundation/hardhat-toolbox
  ganache-core  *
  Depends on vulnerable versions of async
  Depends on vulnerable versions of web3
  Depends on vulnerable versions of web3-provider-engine
  node_modules/ganache-core
    @ethereum-waffle/provider  <=4.0.0-dev.e3fa452
    Depends on vulnerable versions of ganache-core
    node_modules/@ethereum-waffle/provider
      @ethereum-waffle/chai  2.5.0 - 4.0.0-dev.e3fa452
      Depends on vulnerable versions of @ethereum-waffle/provider
      node_modules/@ethereum-waffle/chai
        ethereum-waffle  >=2.3.0-istanbul.0
        Depends on vulnerable versions of @ethereum-waffle/chai
        Depends on vulnerable versions of @ethereum-waffle/compiler
        Depends on vulnerable versions of @ethereum-waffle/provider
        node_modules/ethereum-waffle

ws  5.0.0 - 5.2.2
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/ws

85 vulnerabilities (2 low, 31 moderate, 25 high, 27 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.
Editor is loading...