[Snyk] Security upgrade web3 from 1.10.4 to 4.0.1

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • apps/block_scout_web/assets/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: web3

The new version differs by 250 commits.

• 5b5bf87 changelog updates
• 45d55c3 version update
• 4358140 Release/4.0.1 rc.2 (Bump ex_abi from 0.5.11 to 0.5.14 blockscout/blockscout#6152)
• cdc2835 fix canary auth (Bump sass from 1.54.9 to 1.55.0 in /apps/block_scout_web/assets blockscout/blockscout#6151)
• 55a4de1 add util polyfill (Canto: Smart Contract Verification blockscout/blockscout#6150)
• 45edf3d Canary releases (ERC721 token transfer page erc721-media always be "/images/controller.svg" blockscout/blockscout#6143)
• 01ce365 Proposal for rearranging docs (new Blocks always display Miner 0x0000...address,how to display validator address? blockscout/blockscout#6141)
• 86082bc skip '### Breaking Changes' section from unreleasedSection array (Bump core-js from 3.25.1 to 3.25.2 in /apps/block_scout_web/assets blockscout/blockscout#6138)
• d60c285 Fix plugin example tests with `4.0.1-rc.1` (Optimism on Gnosis Chain: <Issue Title> blockscout/blockscout#6134)
• 88ac791 Correct and enhance documentation for subscribing to events (Batch request length too long JSONRPC Indexer.Fetcher.CoinBalance terminating blockscout/blockscout#6129)
• daaaff7 Autotype for contract methods (Enhancement of gas price oracle: take into account EIP-1559 blockscout/blockscout#6137)
• ab80131 support ESM builds (ccvv blockscout/blockscout#6131)
• 6202d1e min build whitelisting (Address: internal transactions timeout blockscout/blockscout#6132)
• 7a924db migration guide update (Ethereum Classic: <Issue Title> blockscout/blockscout#6130)
• 4f423fc Fix validation of nested tuples (Rename obsolete "parity" EthereumJSONRPC.Variant to "nethermind" blockscout/blockscout#6125)
• 408332d fix!: remove non read-only ens methods (change Token type ERC-20  blockscout/blockscout#6084)
• 8c5ea34 Providers Tutorial (Bump jest-environment-jsdom from 29.0.2 to 29.0.3 in /apps/block_scout_web/assets blockscout/blockscout#6095)
• f2abd6a Eth turorial (Bump ex_abi from 0.5.11 to 0.5.13 blockscout/blockscout#6120)
• 210455a transaction integration tests (Add compose with smart-contract-verifier blockscout/blockscout#6071)
• fe959a1 Contract options fix (Fix unfetched token balances blockscout/blockscout#6118)
• bf1311f update docs so web is imported by default (Bump @babel/preset-env from 7.19.0 to 7.19.1 in /apps/block_scout_web/assets blockscout/blockscout#6112)
• 3b95b5e fix estimateGas to accept hex data without 0x prefix (Bump css-minimizer-webpack-plugin from 4.0.0 to 4.1.0 in /apps/block_scout_web/assets blockscout/blockscout#6103)
• 8c3a17b Add a tutorial for smart contract basic interaction (POA: Error Running Blockscout service blockscout/blockscout#6089)
• edc7a84 `defaultTransactionTypeParser` Refactor (Bump eslint from 8.23.0 to 8.23.1 in /apps/block_scout_web/assets blockscout/blockscout#6102)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 05edb17

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[codeautopilot]

PR summary

The Pull Request proposes an upgrade of the web3 package from version 1.10.4 to 4.0.1 in the apps/block_scout_web/assets/package.json file. This change is intended to fix a high-severity vulnerability related to Regular Expression Denial of Service (ReDoS) identified as SNYK-JS-ES5EXT-6095076. The upgrade is a breaking change, which means it could potentially introduce compatibility issues or require code changes to adapt to the new version of web3.

Suggestion

Before merging this PR, it is crucial to:

• Review the release notes and breaking changes between web3 versions 1.10.4 and 4.0.1 to understand the potential impact on the project.
• Test the application thoroughly to ensure that the upgrade does not break existing functionality.
• Consider the necessity of code changes or refactoring to accommodate the new version of web3.
• If the upgrade introduces significant issues, explore alternative ways to mitigate the vulnerability, such as patching or using a different version that does not include breaking changes.

Disclaimer: This comment was entirely generated using AI. Be aware that the information provided may be incorrect.

Current plan usage: 3.91%

Have feedback or need help?
Discord
Documentation
support@codeautopilot.com