[Snyk] Security upgrade web3 from 1.10.4 to 4.0.1

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • apps/block_scout_web/assets/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	591/1000 Why? Recently disclosed, Has a fix available, CVSS 6.1	Open Redirect SNYK-JS-EXPRESS-6474509	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: web3

The new version differs by 250 commits.

• 5b5bf87 changelog updates
• 45d55c3 version update
• 4358140 Release/4.0.1 rc.2 (Bump ex_abi from 0.5.11 to 0.5.14 blockscout/blockscout#6152)
• cdc2835 fix canary auth (Bump sass from 1.54.9 to 1.55.0 in /apps/block_scout_web/assets blockscout/blockscout#6151)
• 55a4de1 add util polyfill (Canto: Smart Contract Verification blockscout/blockscout#6150)
• 45edf3d Canary releases (ERC721 token transfer page erc721-media always be "/images/controller.svg" blockscout/blockscout#6143)
• 01ce365 Proposal for rearranging docs (new Blocks always display Miner 0x0000...address,how to display validator address? blockscout/blockscout#6141)
• 86082bc skip '### Breaking Changes' section from unreleasedSection array (Bump core-js from 3.25.1 to 3.25.2 in /apps/block_scout_web/assets blockscout/blockscout#6138)
• d60c285 Fix plugin example tests with `4.0.1-rc.1` (Optimism on Gnosis Chain: <Issue Title> blockscout/blockscout#6134)
• 88ac791 Correct and enhance documentation for subscribing to events (Batch request length too long JSONRPC Indexer.Fetcher.CoinBalance terminating blockscout/blockscout#6129)
• daaaff7 Autotype for contract methods (Enhancement of gas price oracle: take into account EIP-1559 blockscout/blockscout#6137)
• ab80131 support ESM builds (ccvv blockscout/blockscout#6131)
• 6202d1e min build whitelisting (Address: internal transactions timeout blockscout/blockscout#6132)
• 7a924db migration guide update (Ethereum Classic: <Issue Title> blockscout/blockscout#6130)
• 4f423fc Fix validation of nested tuples (Rename obsolete "parity" EthereumJSONRPC.Variant to "nethermind" blockscout/blockscout#6125)
• 408332d fix!: remove non read-only ens methods (change Token type ERC-20  blockscout/blockscout#6084)
• 8c5ea34 Providers Tutorial (Bump jest-environment-jsdom from 29.0.2 to 29.0.3 in /apps/block_scout_web/assets blockscout/blockscout#6095)
• f2abd6a Eth turorial (Bump ex_abi from 0.5.11 to 0.5.13 blockscout/blockscout#6120)
• 210455a transaction integration tests (Add compose with smart-contract-verifier blockscout/blockscout#6071)
• fe959a1 Contract options fix (Fix unfetched token balances blockscout/blockscout#6118)
• bf1311f update docs so web is imported by default (Bump @babel/preset-env from 7.19.0 to 7.19.1 in /apps/block_scout_web/assets blockscout/blockscout#6112)
• 3b95b5e fix estimateGas to accept hex data without 0x prefix (Bump css-minimizer-webpack-plugin from 4.0.0 to 4.1.0 in /apps/block_scout_web/assets blockscout/blockscout#6103)
• 8c3a17b Add a tutorial for smart contract basic interaction (POA: Error Running Blockscout service blockscout/blockscout#6089)
• edc7a84 `defaultTransactionTypeParser` Refactor (Bump eslint from 8.23.0 to 8.23.1 in /apps/block_scout_web/assets blockscout/blockscout#6102)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2a60c40

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codeautopilot]

PR summary

The Pull Request proposes an upgrade of the web3 package from version 1.10.4 to 4.0.1 in the apps/block_scout_web/assets/package.json file. This upgrade is intended to fix a medium-severity vulnerability related to an Open Redirect issue in the express package, which is a transitive dependency of web3. The vulnerability has a priority score of 591/1000, indicating it was recently disclosed and has a fix available, but there is no known exploit at the moment. The upgrade is a breaking change, which means it could potentially introduce compatibility issues or require code changes in the project.

Suggestion

Before merging this PR, it is crucial to:

• Review the release notes and breaking changes for web3 version 4.0.1 to understand the impact on the project.
• Test the application thoroughly to ensure that the upgrade does not break existing functionality.
• Consider the necessity of code changes or refactoring to accommodate the new version of web3.
• Verify that other dependencies are compatible with the new version of web3.
• If the breaking changes are too significant or the upgrade is not feasible, explore alternative ways to mitigate the vulnerability, such as patching the specific issue or finding a different library that does not introduce the vulnerability.

Disclaimer: This comment was entirely generated using AI. Be aware that the information provided may be incorrect.

Current plan usage: 68.90%

Have feedback or need help?
Discord
Documentation
support@codeautopilot.com

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud