There are security warnings still coming from @ensdomains/ensjs #4601
Comments
|
Hey @wbt, thanks for raising this! We are going to try and get @ensdomains to update the library. If we can't do that we may have to look for alternative implementations. |
|
@makoto Would you mind merging the open PR on ensjs and publishing a new version? Separately, we'd recommend migrating away from ensjs; ethers has almost all the same functionality, and is better maintained. |
|
Unfortunately, as best any of us can tell, the support in ethers for ENS idoesn't allow setting a custom registry address. We could use web3's ENS support, perhaps? That seems to have support for custom registry addresses. In the meantime, I'll use this as a chance to pester @makoto again about merging ensdomains/ensjs#76 . |
|
Thanks @Arachnid! I must have missed that in the docs. |
|
Oh, huh, yeah, I missed that too. That said, having to set that as part of the network is kind of annoying (because we also have to supply the rest of the information, I assume?). But if that really is the problem, well, we can always fall back on web3.js. |
|
Any progress on this? @ensdomains/ens is being deprecated as I see, so probably it's best to solve it from truffle's side? |
|
There was some initial work done but there is a bit more to be figured out before being able to fully replace it. It is a bit tricky to switch over the functionality that deploys registries/resolvers to test networks. |
|
The high severity labeled warning appears to no longer be present on the latest version of |
|
Even in the latest published version of @truffle/contract (4.6.15) I'm still seeing audit warnings (though now of moderate severity) due to this 2020 security advisory, via the ensdomains dependency. It also appears that Truffle's already using the latest published version of @ensdomains/enjs[@2.1.0] prior to the v3 breaking changes. |
gnidan
changed the title
|
Thanks @wbt. Re-opening this to look into it. |
|
We still have the same difficulties with dealing with replacing this library. Although it looks like they are going to put out a new major version sometime in the future. There are a bunch of |
|
It may be worth opening a branch to make the breaking changes associated with the latest v3 alpha, to be more ready when v3 is released. The heavy focus on v3 there suggests they may not fix security issues in v2. |
Issue
Due to this underlying issue, @truffle/contract is reporting a High severity npm audit failure. A PR which might fix it was submitted several weeks ago but has not been evaluated or merged, and the last commit to make it into that repo was more than a month prior.
Steps to Reproduce
Run
npm auditwith@truffle/[email protected]installed in a project.Expected Behavior
No audit failures.
Actual Results
Several audit failures, including a high-severity Regex DoS stemming from use of glob-parent <5.1.2, and another high-severity prototype pollution issue from y18n. There are also moderate-severity issues in elliptic < 6.5.3 and in mem < 4.0.0 and in yargs-parser <5.0.0 & 7.0.0 which this should fix as well.
Running
npm ls glob-parentgivesRunning
npm ls y18ngivesThere is also a moderate-severity issue in ansi-regex under this path, but that's not the only place it's found, an update would also be needed in chromafi and pulled to Truffle's fork of it.
Response options
In creating this Issue, I propose not #4.
Environment
truffle version): @truffle/contract 4.4.2node --version): 16.13.1npm --version): 7.24.0The text was updated successfully, but these errors were encountered: