Vulnerabilities reported when installing OpenZeppelin CLI via npm

Installing openzeppelin/contracts with npm that returns founding some vulnerabilities

:computer: Environment

last version of contracts lib, npm 6.14.6 within a linux snap

:memo:Details

see below

:1234: Code to reproduce

+ @openzeppelin/contracts@3.1.0

updated 1 package and audited 775 packages in 4.096s

10 packages are looking for funding
run npm fund for details

found 2122 vulnerabilities (5 low, 2116 high, 1 critical)
run npm audit fix to fix them, or npm audit for details

1 Like

Hi @David_Schmitz,

I get vulnerabilities reported when installing npm i @openzeppelin/upgrades.
I created an issue to track: https://github.com/OpenZeppelin/openzeppelin-sdk/issues/1578

From ethers-io/ethers.js#985 (regards elliptic)

I believe the vulnerability does not affect Ethereum, since adding null-byte padding to the front of anything signed as RLP-data or as an EIP-191 payload, mangles the meaning of its representation.


I didn’t get any vulnerabilities installing @openzeppelin/contracts@3.1.0

I’ve changed my node source to the official one, coming from snap. The result is the same. I don’t know why:

schmitz@schmitz-HP-linux:~/dev/csan/polcoin$ node -v
v12.18.3
schmitz@schmitz-HP-linux:~/dev/csan/polcoin$ npm -v
6.14.6
schmitz@schmitz-HP-linux:~/dev/csan/polcoin$ npm install @openzeppelin/contracts
npm WARN polcoin@1.0.0 No description
npm WARN polcoin@1.0.0 No repository field.

+ @openzeppelin/contracts@3.1.0
updated 1 package and audited 775 packages in 4.584s

10 packages are looking for funding
  run `npm fund` for details

found 2122 vulnerabilities (5 low, 2116 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details
1 Like

Hi @David_Schmitz,

I am using Ubuntu on WSL2

In a new directory I did the following:

$ node --version
v12.18.3
$ npm --version
6.14.6
$ npm init -y
...
$ npm i @openzeppelin/contracts
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN David_Schmitz@1.0.0 No description
npm WARN David_Schmitz@1.0.0 No repository field.

+ @openzeppelin/contracts@3.1.0
added 1 package from 1 contributor and audited 1 package in 3.63s
found 0 vulnerabilities

Do you have anything else installed?

You’re right, that doesn’t come from /contract but /cli. I had installed the cli before.
Without cli installed, no issue and with cli installed, here’s the result:

  • @openzeppelin/cli@2.8.2
    added 770 packages from 462 contributors and audited 770 packages in 52.583s

10 packages are looking for funding
run npm fund for details

found 32 vulnerabilities (5 low, 26 high, 1 critical)
run npm audit fix to fix them, or npm audit for details

npm replicates the same message when I install the contract lib just after.
Nevertheless, there are fewer errors today :slight_smile:

Work env: linux ubuntu 20.04.1 - node v12.18.3 - npm 6.14.6

1 Like

Hi @David_Schmitz,

The following issues are tracking the npm audit reports for the OpenZeppelin CLI:


1 Like

Thanks, good to know for the future. I’ll search better…

1 Like