Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade solidity-coverage from 0.7.21 to 0.8.12 #23

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

nek0ill
Copy link
Owner

@nek0ill nek0ill commented Aug 6, 2024

snyk-top-banner

Snyk has created this PR to upgrade solidity-coverage from 0.7.21 to 0.8.12.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 22 versions ahead of your current version.

  • The recommended version was released on 4 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Improper Verification of Cryptographic Signature
SNYK-JS-BROWSERIFYSIGN-6037026
646 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ES5EXT-6095076
646 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
646 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
646 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-COOKIEJAR-3149984
646 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
646 No Known Exploit
medium severity Open Redirect
SNYK-JS-GOT-2932019
646 No Known Exploit
medium severity Open Redirect
SNYK-JS-GOT-2932019
646 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783
646 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
646 Proof of Concept
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909
646 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
646 Proof of Concept
low severity Insecure Credential Storage
SNYK-JS-WEB3-174533
646 No Known Exploit
Release notes
Package name: solidity-coverage
  • 0.8.12 - 2024-04-05

    What's Changed

    • Adds "work-around" support for the hardhat-viem plugin. If you're using viem, run the coverage task with:
      SOLIDITY_COVERAGE=true npx hardhat coverage
      
    • Adds support for solc v0.4.x
    • Fixes a bug where plugin crashed if the contract sources directory name contained a period.
    • Fixes a bug where instrumentation failed if there was whitespace between require statement and the terminating semi-colon

    PRs

    Full Changelog: v0.8.11...v0.8.12

  • 0.8.11 - 2024-03-07

    Summary

    0.8.11 fixes a(nother) bug that resulted in some line hits remaining undetected when compiling with viaIR=true

    What's Changed

    • Check all SWAP opcodes for inst. hashes when viaIR is true by @ cgewecke in #873

    Full Changelog: v0.8.10...v0.8.11

  • 0.8.10 - 2024-02-29

    Summary

    0.8.10 fixes a bug that resulted in some line hits remaining undetected when compiling with viaIR=true

    What's Changed

    • Check all PUSH opcodes for instr. hashes when viaIR is true by @ cgewecke in #871

    Full Changelog: v0.8.9...v0.8.10

  • 0.8.10-rc.0 - 2024-02-28
  • 0.8.9 - 2024-02-27

    What's Changed

    • Fix regression introduced in 0.8.7 where modifier branch coverage for modifiers inherited from a dependency was not measured correctly in some cases @ cgewecke in #868

    Full Changelog: v0.8.8...v0.8.9

  • 0.8.9-rc.0 - 2024-02-25
  • 0.8.8 - 2024-02-21

    What's Changed

    • Fix bug when instrumenting hardhat flattened contracts:
      • Only inject file-level instr. for first pragma in file by @ cgewecke in #865
    • Fix 0% coverage when using with hardhat-foundry & foundry.toml is present:
      • Coerce sources path to absolute path if necessary by @ cgewecke in #866

    Install

    npm install --save-dev solidity-coverage@latest
    npx hardhat clean
    

    Full Changelog: v0.8.7...v0.8.8

  • 0.8.7 - 2024-02-10

    What's Changed

    viaIR now allowed

    This release (hopefully) fixes a long-running problem solidity-coverage had with solc's viaIR compilation mode - It's now possible to use it without any special configuration. (Please report any ongoing issues with this to issue #861)

    If you've been using .solcover.js options like configureYulOptimizer and solcOptimizerDetails as a work around, you should remove them when upgrading. (Don't forget to run the hardhat clean task after updating any coverage config stuff).

    --network no longer allowed

    Sadly the ganache client has been deprecated. The coverage plugin never worked with its latest major version and the network flag only existed for its sake. Going forward, the network option throws an error notifying the user that coverage only uses the HardhatEVM network.

    --sources cli option

    You can now select a single file (or folder) at the command line to generate coverage for. This option should speed things up if you've been waiting for the plugin to instrument everything in a large project whenever you run the command.

    $ npx hardhat coverage --sources MyFile.sol
    $ npx hardhat coverage --sources MyFolder

    (Thanks so much @ clauBv23 for adding this!)

    Funding

    OpenZeppelin has very generously funded recent work at solidity-coverage via DRIPS, a public goods protocol which helps you direct money to projects in your dependency tree. Thanks so much! ❤️

    Links to relevant PRs

    • Add command option to specify the source files to run the coverage on (#806) by @ clauBv23 in #838
    • Remove ganache-cli related code from API & tests by @ cgewecke in #849
    • Add missing onPreCompile stage hook by @ cgewecke in #851
    • Enable coverage when viaIR compiler flag is true by @ cgewecke in #854

    Full Changelog: v0.8.6...v0.8.7

  • 0.8.7-viaIR.0 - 2024-02-09
  • 0.8.6 - 2024-01-29

    What's Changed

    Fixes

    • Perform ternary conditional injections before branch injections (#828) by @ cgewecke in #828
    • Fix chained ternary conditionals instrumentation by @ cgewecke in #830
    • Fix instrumentation error for virtual modifiers by @ cgewecke in #832
    • Throw error when mocha parallel is set to true by @ cgewecke in #833

    Documentation

    • Update faq.md with another viaIR optimizer config workaround by @ remedcu in #822
    • Document Istanbul check-coverage cli command by @ cgewecke in #834

    Dependencies

    Misc

    New Contributors

    Full Changelog: v0.8.5...v0.8.6

  • 0.8.6-sha1.0 - 2023-10-14
  • 0.8.5 - 2023-09-22

    What's Changed

    New Contributors

    Full Changelog: v0.8.4...v0.8.5

  • 0.8.4 - 2023-07-04

    What's Changed

    New Contributors

    Full Changelog: v0.8.2...v0.8.4

  • 0.8.3 - 2023-06-22
  • 0.8.2 - 2022-09-08

    What's Changed

    New Contributors

    Full Changelog: v0.8.1...v0.8.2

  • 0.8.1 - 2022-09-06
  • 0.8.0 - 2022-09-05
  • 0.8.0-rc.test.0 - 2022-04-26
  • 0.8.0-rc.1 - 2022-03-29
  • 0.8.0-beta.1 - 2022-03-29
  • 0.8.0-beta.0 - 2021-01-13
  • 0.7.22 - 2022-09-05
  • 0.7.21 - 2022-04-24
from solidity-coverage GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"solidity-coverage","from":"0.7.21","to":"0.8.12"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-BROWSERIFYSIGN-6037026","issue_id":"SNYK-JS-BROWSERIFYSIGN-6037026","priority_score":589,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Improper Verification of Cryptographic Signature"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ES5EXT-6095076","issue_id":"SNYK-JS-ES5EXT-6095076","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-7266574","issue_id":"SNYK-JS-WS-7266574","priority_score":696,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Denial of Service (DoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TOUGHCOOKIE-5672873","issue_id":"SNYK-JS-TOUGHCOOKIE-5672873","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Prototype Pollution"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-COOKIEJAR-3149984","issue_id":"SNYK-JS-COOKIEJAR-3149984","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-EXPRESS-6474509","issue_id":"SNYK-JS-EXPRESS-6474509","priority_score":519,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.1","score":305},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-GOT-2932019","issue_id":"SNYK-JS-GOT-2932019","priority_score":484,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.4","score":270},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-GOT-2932019","issue_id":"SNYK-JS-GOT-2932019","priority_score":484,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.4","score":270},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-HTTPCACHESEMANTICS-3248783","issue_id":"SNYK-JS-HTTPCACHESEMANTICS-3248783","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-REQUEST-3361831","issue_id":"SNYK-JS-REQUEST-3361831","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Server-side Request Forgery (SSRF)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-TAR-6476909","issue_id":"SNYK-JS-TAR-6476909","priority_score":646,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.5","score":325},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Uncontrolled Resource Consumption ('Resource Exhaustion')"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WS-1296835","issue_id":"SNYK-JS-WS-1296835","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-WEB3-174533","issue_id":"SNYK-JS-WEB3-174533","priority_score":379,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"3.3","score":165},{"type":"scoreVersion","label":"v1","score":1}],"severity":"low","title":"Insecure Credential Storage"}],"prId":"8a7fbdea-0f76-4eec-9cfd-ef7343fe1d4b","prPublicId":"8a7fbdea-0f76-4eec-9cfd-ef7343fe1d4b","packageManager":"npm","priorityScoreList":[589,696,696,646,586,519,484,586,646,646,586,379],"projectPublicId":"c8db6975-f9ad-4b1f-b5e8-94654e147c9d","projectUrl":"https://app.snyk.io/org/muisance/project/c8db6975-f9ad-4b1f-b5e8-94654e147c9d?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-ES5EXT-6095076","SNYK-JS-WS-7266574","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-COOKIEJAR-3149984","SNYK-JS-EXPRESS-6474509","SNYK-JS-GOT-2932019","SNYK-JS-GOT-2932019","SNYK-JS-HTTPCACHESEMANTICS-3248783","SNYK-JS-REQUEST-3361831","SNYK-JS-TAR-6476909","SNYK-JS-WS-1296835","SNYK-JS-WEB3-174533"],"upgradeInfo":{"versionsDiff":22,"publishedDate":"2024-04-05T22:57:21.288Z"},"vulns":["SNYK-JS-BROWSERIFYSIGN-6037026","SNYK-JS-ES5EXT-6095076","SNYK-JS-WS-7266574","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-COOKIEJAR-3149984","SNYK-JS-EXPRESS-6474509","SNYK-JS-GOT-2932019","SNYK-JS-GOT-2932019","SNYK-JS-HTTPCACHESEMANTICS-3248783","SNYK-JS-REQUEST-3361831","SNYK-JS-TAR-6476909","SNYK-JS-WS-1296835","SNYK-JS-WEB3-174533"]}'

Snyk has created this PR to upgrade solidity-coverage from 0.7.21 to 0.8.12.

See this package in npm:
solidity-coverage

See this project in Snyk:
https://app.snyk.io/org/muisance/project/c8db6975-f9ad-4b1f-b5e8-94654e147c9d?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

vercel bot commented Aug 6, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
excalibur ❌ Failed (Inspect) Aug 6, 2024 9:40am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants