Persistence of deprecated packages and vulnerabilities

[rlkiser]

BLUF: There are many deprecated packages in the dependencies for this project. Several of these include serious vulnerabilities and some seem to have persisted for a while. I'm hoping to understand what is limiting activity to resolve these issues.

Core question: What are the challenges that are limiting the ability of the truffle project to stay up to date with dependencies? What resources would enable project maintainers to resolve the situation?

The details

Some background: I'm a security analyst who is looking to develop some familiarity with Solidity and smart contracts so that I can assess smart contracts for security issues effectively. Truffle was recommended to me as a starting point that's commonly used by developers working on Ethereum. When I went to install truffle however, npm alerted me to a large number of deprecated packages.

npm WARN deprecated [email protected]: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.

npm WARN deprecated [email protected]: this library is no longer supported

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

npm WARN deprecated @nodefactory/[email protected]: Package is deprecated in favour of @chainsafe/filsnap-adapter

npm WARN deprecated [email protected]: This module has been superseded by @ipld/dag-cbor and multiformats

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

npm WARN deprecated [email protected]: This module has been superseded by @ipld/dag-pb and multiformats

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: This module has been superseded by the multiformats module

npm WARN deprecated [email protected]: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

npm audit shows 22 known vulnerabilities (4 moderate, 17 high, 1 critical), which, to put it bluntly, is about what I'd expect given the number of deprecated packages. Given the the incentives and potential for direct financial impact for smart contract exploits, the large footprint for one of the OWASP top 10 categories in the current package of a major smart contract framework is surprising and unsettling.

I skimmed through issues with the dependencies tag and didn't see open issues for the full set of deprecated dependencies. I note two "omnibus" issues (#4272 and #3986) which describe the large number of deprecated dependencies. From comments there it sounds like this has been prioritized, but #3986 is more than a year old now.

With the caveats that:
(1.) I come from infosec; I'm not a developer - my expectations may not match up.
(2.) my node experience is limited
(3.) I'm relatively new to the world of smart contracts and don't really know the software security culture here
(4.) this was by no means a comprehensive investigation

I'm wondering: what are the barriers the team of maintainers have which are limiting activity on dependency maintenance? Is it just that team members don't have the resources and/or time to investigate and fix? Not sure where to start in order to start getting ahead of the problem? Something else?

Thank you, and please understand this is intended to be constructive rather than adversarial. Truffle is a package which I would like to be able to use. I'd like to understand the problem(s) here to see how (or even if) myself and others may be able to help.

[apdan510]

@rlkiser These warnings are currently being worked on and revisited. I believe stability is the goal here, even with the warnings. Please be on the lookout for the next Truffle update.

Thank you for bringing this issue up!

[carnato]

but it not working same problem

[apdan510]

What happens when you type truffle version into your terminal? Any errors? Also we will need to know the NPM version you are using to install Truffle.

Thank you!