From 88ab81f9e86c41368e0df1804290cf4777f81e74 Mon Sep 17 00:00:00 2001 From: Bartek Date: Thu, 17 Aug 2023 11:41:34 +0200 Subject: [PATCH 1/3] fix audit --- audit-ci.jsonc | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/audit-ci.jsonc b/audit-ci.jsonc index 339c2f48b1..2460db00d2 100644 --- a/audit-ci.jsonc +++ b/audit-ci.jsonc @@ -32,6 +32,11 @@ // Nodejs ‘undici’ Vulnerable to CRLF // Used only in hardhat, so only in dev. Even then we dont use remote requests. "GHSA-5r9g-qh6m-jxff", + // https://github.com/advisories/GHSA-j8xg-fqg3-53r7 + // vulnerable to Regular Expression Denial of Service + // from: eslint>optionator>word-wrap + // word-wrap in eslint, we are on the latest major version, safe to ignore + "GHSA-j8xg-fqg3-53r7", // Open Zepplin //////////// @@ -102,6 +107,13 @@ // from: @arbitrum/nitro-contracts>hardhat>semver // from: arb-bridge-peripherals>arb-bridge-eth>hardhat>semver // Used only in dev. - "GHSA-c2qf-rxjj-qqgw" + "GHSA-c2qf-rxjj-qqgw", + // https://github.com/advisories/GHSA-g4vp-m682-qqmp + // contracts using ERC2771Context along with a custom trusted forwarder may see + // _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes + // from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable + // from @arbitrum/nitro-contracts>@openzeppelin/contracts + // + "GHSA-g4vp-m682-qqmp" ] } From 5c552f830594292e93e4d9b257e8c78a142fe86c Mon Sep 17 00:00:00 2001 From: Bartek Date: Thu, 17 Aug 2023 11:54:28 +0200 Subject: [PATCH 2/3] Update audit-ci.jsonc Co-authored-by: spsjvc --- audit-ci.jsonc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/audit-ci.jsonc b/audit-ci.jsonc index 2460db00d2..8faaa9c0b9 100644 --- a/audit-ci.jsonc +++ b/audit-ci.jsonc @@ -33,9 +33,8 @@ // Used only in hardhat, so only in dev. Even then we dont use remote requests. "GHSA-5r9g-qh6m-jxff", // https://github.com/advisories/GHSA-j8xg-fqg3-53r7 - // vulnerable to Regular Expression Denial of Service - // from: eslint>optionator>word-wrap - // word-wrap in eslint, we are on the latest major version, safe to ignore + // word-wrap vulnerable to Regular Expression Denial of Service + // Used only in eslint, so only in dev. "GHSA-j8xg-fqg3-53r7", // Open Zepplin From 5971c17c3d704620517fd4c3a0abf4551f924856 Mon Sep 17 00:00:00 2001 From: Bartek Date: Thu, 17 Aug 2023 12:39:32 +0200 Subject: [PATCH 3/3] comments --- audit-ci.jsonc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/audit-ci.jsonc b/audit-ci.jsonc index 8faaa9c0b9..8fbdf4d996 100644 --- a/audit-ci.jsonc +++ b/audit-ci.jsonc @@ -33,7 +33,7 @@ // Used only in hardhat, so only in dev. Even then we dont use remote requests. "GHSA-5r9g-qh6m-jxff", // https://github.com/advisories/GHSA-j8xg-fqg3-53r7 - // word-wrap vulnerable to Regular Expression Denial of Service + // word-wrap vulnerable to Regular Expression Denial of Service // Used only in eslint, so only in dev. "GHSA-j8xg-fqg3-53r7", @@ -108,11 +108,10 @@ // Used only in dev. "GHSA-c2qf-rxjj-qqgw", // https://github.com/advisories/GHSA-g4vp-m682-qqmp - // contracts using ERC2771Context along with a custom trusted forwarder may see - // _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes + // OpenZeppelin Contracts vulnerable to Improper Escaping of Output // from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable // from @arbitrum/nitro-contracts>@openzeppelin/contracts - // + // We don't use ERC2771Context "GHSA-g4vp-m682-qqmp" ] }