[Snyk] Fix for 7 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/db/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-APOLLOSERVERCORE-2928764	Yes	No Known Exploit
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @truffle/compile-common

The new version differs by 250 commits.

• 4a67c2b Publish
• 7b17c78 Merge pull request Internal update: clean dependencies trufflesuite/truffle#4149 from trufflesuite/clean-dependency
• d129001 Merge pull request Bug fix: Sanitize network name for graphql query in db trufflesuite/truffle#4198 from trufflesuite/db-fix
• 4e44178 Strip out characters from network name that would form improper graphql queries
• eebc7f9 source-fetcher: reorg how definitions are imported
• d0d9a60 source-fetcher: add @ types/node^15.0.1 as a devDep
• 68c4af0 core: remove unused deps
• c009a52 core: move app-module-path to devDeps
• df0e18b Revert "core: remove unused dependencies"
• b19e21f Revert "plugins: move app-module-path to devDependency"
• f91f21f core: remove unused dependencies
• 13c368f debugger: remove unused dependencies
• b6f39d9 migrate: remove unused dependency
• 88d5d2c resolver: remove unused dependency
• 46e7dc6 debug-utils: remove unused dependency
• cbcd2cc compile-common: move packages to devDependency
• 5ee7b4e require: remove unused dependency
• ce3f5a6 preserve-to-filecoin: remove unused dependency
• bf4639a hdwallet-provider: remove unused dependencies
• 05ea7e9 reporters: remove unused dependency
• ec2cd00 source-fetcher: remove unused dependency
• 8b73f36 plugins: move app-module-path to devDependency
• c224a43 contract-schema: remove unused dependency
• cbb3ff7 Merge pull request Bug fix: Disallow non-absolute non-relative FS imports trufflesuite/truffle#4190 from trufflesuite/no-double-path

See the full diff

Package name: apollo-server

The new version differs by 250 commits.

• bcfd36c Release
• a97684f docs: get ready for 3.0.0 to be released to `next` (Add tests to the @truffle/from-hardhat package trufflesuite/truffle#5442)
• 81ae16f Update header comment to say @ 3.x instead of @ rc
• 76344b6 docs/READMEs: add `@ 3.x` to all `npm install` invocations
• 537cf1c docs: remove migration to 2.x doc (old, already unlinked)
• 348aa97 chore(deps): update dependency @ types/node-fetch to v2.5.11 (Truffle's default optimizer settings actually have an effect trufflesuite/truffle#5441)
• 74b1d97 chore(deps): update dependency @ types/lru-cache to v5.1.1 ([Bug in dependency] Introducing HDWalletProvider causes responses to get mixed up trufflesuite/truffle#5440)
• c8062f7 chore(deps): update dependency @ types/lodash to v4.14.171 (unable to install ganache in my system trufflesuite/truffle#5439)
• 84b7587 chore(deps): update dependency @ types/koa-router to v7.4.3 (#5438)
• 4a8726c chore(deps): update dependency @ types/jest to v26.0.24 (Getting an error when fetching the Solidity compiler trufflesuite/truffle#5437)
• 87d4dcf chore(deps): update dependency @ types/ioredis to v4.26.5 (#5436)
• 6ce5ecc chore(deps): update dependency @ types/hapi__hapi to v20.0.9 (Fix typo in compilations/types.ts trufflesuite/truffle#5435)
• d60fd62 chore(deps): update dependency @ types/express-serve-static-core to v4.17.23 (Hook up truffle debug to @truffle/from-hardhat trufflesuite/truffle#5434)
• d948605 chore(deps): update dependency @ types/express to v4.17.13 (Use TruffleError instead of Error while parsing mutually exclusive options trufflesuite/truffle#5433)
• 8aca7a4 chore(deps): update dependency @ types/cors to v2.8.11 (Internal improvement: Fully convert compile-solidity to use TypeScript trufflesuite/truffle#5432)
• 3f0450b chore(deps): update dependency @ types/connect to v3.4.35 (Enhancement: Prepare debugger's block.difficulty reporting for the merge trufflesuite/truffle#5431)
• 02e71dd chore(deps): update dependency @ types/bunyan to v1.8.7 (#5430)
• 055b67d chore(deps): update dependency @ types/body-parser to v1.19.1 (#5429)
• e7c0329 chore(deps): update dependency @ types/aws-lambda to v8.10.78 (AUG 12, 9AM PST: Rentable NFTs with Double Protocol trufflesuite/truffle#5428)
• e5fbaf6 chore(deps): update dependency @ types/async-retry to v1.4.3 (ReferenceError: artifacts is not defined trufflesuite/truffle#5427)
• f30bc26 chore(deps): update dependency @ apollo/client to v3.3.21 (Enhancement: Add instance.estimateGas() and instance.call() trufflesuite/truffle#5426)
• b61f082 chore(deps): update dependency nock to v13.1.1 (Standardize @types/node version and upgrade all TS packages to use typescript@4.7.2 trufflesuite/truffle#5423)
• fab9351 chore(deps): update dependency @ types/uuid to v8.3.1 (Typedoc missing on numerous types in @truffle/db trufflesuite/truffle#5421)
• ad2cdb5 Release

See the full diff

Package name: web3

The new version differs by 250 commits.

• 02895cb Build for 1.7.5
• 34f6b68 v1.7.5
• 195f01d Manual build commit for 1.7.5-rc.1
• b640e26 v1.7.5-rc.1
• 96a7935 npm i
• 9476964 Merge branch '1.x' into release/1.7.5
• 84ac9b7 Fixed unit tests & removed dead code for web3-providers-http (Bump jsdom from 16.4.0 to 16.7.0 trufflesuite/truffle#5228) (Add GHA dependency check trufflesuite/truffle#5264)
• 2dcf142 Manual build commit for 1.7.5-rc.0
• ba30e1d v1.7.5-rc.0
• c93940b npm i and CHANGELOG update for 1.7.5 release
• fc7bfcd 1.x Libs Update including parse-url (CompileError: project:/contracts/kyc.sol:4:1: DeclarationError: Identifier already declared. trufflesuite/truffle#5254)
• ca827a7 fix Promise in Accounts.signTransaction() throwing errors that cannot be caught Bump pathval from 1.1.0 to 1.1.1 trufflesuite/truffle#4724 (Specify --platform when running solc Docker image trufflesuite/truffle#5080) (Internal improvement: Clean up some scenario tests trufflesuite/truffle#5252)
• 35d8f7f Update AbstractProvider with correct typing (Standardize Test Approach  trufflesuite/truffle#5206)
• 57b6dc4 Add createAccessList type (Truffle init not working in VS Code trufflesuite/truffle#5146) (Audit and Fix the Windows Build trufflesuite/truffle#5204)
• 46b5a5b fix remove wallet using an index when an account address and address lowercase are equal Persistence of deprecated packages and vulnerabilities trufflesuite/truffle#5049 (Truffle Dashboard is a blank page trufflesuite/truffle#5050) (Audit and Fix our Flaky Tests trufflesuite/truffle#5202)
• 2a1308f Fix transactionRoot -> transactionsRoot in BlockHeader (Truffle should allow people to specify their truffle exec scripts as typescript, without compilation trufflesuite/truffle#5083) (Standardize tsconfig files across packages trufflesuite/truffle#5197)
• 9e0d9d1 hexToNumber: return BigInt if result is bigger than max integer (dashboard: fix bad merge, add extra debug logging trufflesuite/truffle#5157)
• 555aa0d web3-providers-http: Migrate from xhr2-cookies to cross-fetch (Testing basic contract on truffle trufflesuite/truffle#5179)
• c034b8d Update `got` dependency for `web3-bzz` package (Testing basic contract on truffle trufflesuite/truffle#5178)
• aae9d4a Updates on `README.md` Format (Enhancement: Add more networks to sourcify source fetcher trufflesuite/truffle#5115)
• 8f05f19 Fixed documentation for web3.eth.accounts.signTransaction (Ganache Discussions trufflesuite/truffle#5121)
• 5b10473 Fix typo (stuck in installing truffle trufflesuite/truffle#5116)
• 18da528 fix typos in web3-eth-accounts.rst & TESTING.md improve default truffle-config.js readability trufflesuite/truffle#5047 (Bug fix: Prevent intermediate state from appearing in final txlog trufflesuite/truffle#5048)
• e9ab4a5 Typo foudn (Bug fix: Remove incorrect typings from contract trufflesuite/truffle#5142)

See the full diff

Package name: web3-utils

The new version differs by 200 commits.

• 8bfba23 v1.3.6
• 4fee853 Update geth-dev-assistant
• 69155de 1.3.6-rc.2 Fixes (Truffle error when trying to mint 721 tokens trufflesuite/truffle#4065)
• 444bce7 Remove dtslint from ci scripts (1ST DAP POOL trufflesuite/truffle#4064)
• 360b96a Fixing 1.3.6-rc.2 related issues (Fix deprecated ts-jest config trufflesuite/truffle#4063)
• 7584ed7 Add web3-core-helpers as dev dependency
• 2823033 Add web3-core-helpers as dev dependency
• bd4509f 1.3.6-rc.2 fixes (Misleading documentation of Truffle configuration trufflesuite/truffle#4062)
• 2d3c54a 1.3.6-rc.2 (Error in Open Zeppelin's expectRevert when used with truffle run coverage trufflesuite/truffle#4059)
• b0822cd v1.3.6-rc.1
• 0b243e4 Built lib for 1.3.6-rc.1
• 5894e9e npm i
• 131fb16 Merge conflicts
• 73ef7e2 v1.3.6-rc.0
• e758f4b Built lib for 1.3.6-rc.0
• cddf991 Update CHANGELOG and ran npm i
• fdbda49 Bump underscore (Fix truffle debug badCompilations error trufflesuite/truffle#4051)
• 5d02719 Release/1.3.5 (Enhancement: Create @truffle/encoder and use it in @truffle/decoder for mapping keys trufflesuite/truffle#3974)
• 888d107 Feature/web3 eth iban es6 (truffle compile - SyntaxError: Unexpected identifier trufflesuite/truffle#3964) (Dependency update: Upgrade web3 to 1.3.5 trufflesuite/truffle#3965)
• dc148e7 Clarify commitment to semantic versioning (Truffle migrate cannot handle a network ID different from the chain ID trufflesuite/truffle#3961) (When i run truffle test following errors occure trufflesuite/truffle#3962)
• 88f59fe Debugging failing tests (not installing properly trufflesuite/truffle#3959) (If tx is null, the deployment will be broken. trufflesuite/truffle#3960)
• 8b2291b Rename tsc to compile (Cannot migrate to custom blockchain since truffle@5.2.5 trufflesuite/truffle#3957) (Quorum Raft support broken in versions >5.1.50 trufflesuite/truffle#3958)
• bb259d9 add nvmrc file (Response object from transaction execution is different with '--stacktrace' trufflesuite/truffle#3817)
• 20bf22d Bump elliptic from 6.5.3 to 6.5.4 in /packages/web3-core-requestmanager (Repair geth CI jobs trufflesuite/truffle#3945)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Arbitrary Code Injection
🦉 Arbitrary Code Injection