Environment
Details
Code to reproduce
updated 1 package and audited 775 packages in 4.096s
10 packages are looking for funding
run npm fund for details
found 2122 vulnerabilities (5 low, 2116 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Hi @David_Schmitz,
I get vulnerabilities reported when installing npm i @openzeppelin/upgrades.
I created an issue to track: https://github.com/OpenZeppelin/openzeppelin-sdk/issues/1578
From ethers-io/ethers.js#985 (regards elliptic)
I believe the vulnerability does not affect Ethereum, since adding null-byte padding to the front of anything signed as RLP-data or as an EIP-191 payload, mangles the meaning of its representation.
I didn't get any vulnerabilities installing @openzeppelin/contracts@3.1.0
I’ve changed my node source to the official one, coming from snap. The result is the same. I don’t know why:
schmitz@schmitz-HP-linux:~/dev/csan/polcoin$ node -v
v12.18.3
schmitz@schmitz-HP-linux:~/dev/csan/polcoin$ npm -v
6.14.6
schmitz@schmitz-HP-linux:~/dev/csan/polcoin$ npm install @openzeppelin/contracts
npm WARN polcoin@1.0.0 No description
npm WARN polcoin@1.0.0 No repository field.
+ @openzeppelin/contracts@3.1.0
updated 1 package and audited 775 packages in 4.584s
10 packages are looking for funding
run `npm fund` for details
found 2122 vulnerabilities (5 low, 2116 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Hi @David_Schmitz,
I am using Ubuntu on WSL2
In a new directory I did the following:
$ node --version
v12.18.3
$ npm --version
6.14.6
$ npm init -y
...
$ npm i @openzeppelin/contracts
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN David_Schmitz@1.0.0 No description
npm WARN David_Schmitz@1.0.0 No repository field.
+ @openzeppelin/contracts@3.1.0
added 1 package from 1 contributor and audited 1 package in 3.63s
found 0 vulnerabilities
Do you have anything else installed?
You're right, that doesn't come from /contract but /cli. I had installed the cli before.
Without cli installed, no issue and with cli installed, here's the result:
10 packages are looking for funding
run npm fund for details
found 32 vulnerabilities (5 low, 26 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
npm replicates the same message when I install the contract lib just after.
Nevertheless, there are fewer errors today 
Work env: linux ubuntu 20.04.1 - node v12.18.3 - npm 6.14.6
Hi @David_Schmitz,
The following issues are tracking the npm audit reports for the OpenZeppelin CLI:
Thanks, good to know for the future. I’ll search better…