[Snyk] Upgrade solidity-coverage from 0.7.17 to 0.8.4

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade solidity-coverage from 0.7.17 to 0.8.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 15 versions ahead of your current version.
• The recommended version was released 2 months ago, on 2023-07-04.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Prototype Poisoning SNYK-JS-QS-3153490	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Prototype Pollution SNYK-JS-Y18N-1021887	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Denial of Service (DoS) npm:mem:20180117	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Open Redirect SNYK-JS-GOT-2932019	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Authentication Bypass SNYK-JS-HTTPAUTH-471683	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Prototype Pollution SNYK-JS-JSON5-3182856	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: solidity-coverage

• 0.8.4 - 2023-07-04
  

  What's Changed

  • Prepare for next hardhat version by @ fvictorio in #796
  • Update solidity-parser to 0.16.0 by @ cgewecke in #802

  New Contributors

  • @ fvictorio made their first contribution in #796

  Full Changelog: v0.8.2...v0.8.4

• 0.8.3 - 2023-06-22
• 0.8.2 - 2022-09-08
  

  What's Changed

  • Set web3-utils dep to ^1.3.6 by @ MarkuSchick in #744

  New Contributors

  • @ MarkuSchick made their first contribution in #744

  Full Changelog: v0.8.1...v0.8.2

• 0.8.1 - 2022-09-06
  

  What's Changed

  • Bug fix: restore missing web3-utils dependency by @ cgewecke in #743

  Full Changelog: v0.8.0...v0.8.1

• 0.8.0 - 2022-09-05
  

  Hi!

  ⚠️ This version requires Hardhat >= 2.11.0 (Ethereum Merge)

  New Features

  A central focus of the 0.8.0 release is improving the coverage tool's branch detection.

  Beginning with this version the following syntax is measured as a branch:

  OR conditions

  When a logical expression is composed with the || operator, both sides can be considered branches. To test the entire expression

  if (a == 1 || a == 2)

  ... a must equal 1, 2 and neither of those values. (Thanks to Gnosis engineer @ rmeissner for proposing this in #175)

  

  Ternary Conditionals

  Long ago, when Solidity was 0.4, solidity-coverage treated ternary conditionals like regular if/else statements. Some language improvements v0.5 subsequently made this impossible. Now it's back...

  

  Modifier Invocations

  Solidity-coverage already covers the code within modifier definitions. However, each modifier invocation at the function level should really be considered its own branch. Some of the most critical logic in Solidity contracts is handled this way (ex: onlyOwner). Testing the pass/fail cases for each occurrence of these gates protects you from accidentally removing them during a refactor.

  Because it's possible to write a modifier which performs a preparatory task and never reverts, there's a new option (modifierWhitelist) which allows you to exclude specific modifiers from branch measurement.

  And if you don't like modifier invocation coverage you can turn it off by setting the option measureModifierCoverage to false.

  (Many thanks to OpenZeppelin engineer @ nventuro for proposing this improvement in #286 and helping to design it.)

  

  Test Matrix

  The hardhat and truffle plugins support a new cli flag: --matrix. (Short for "test matrix".)

  This flag generates a JSON object that maps which tests in your suite hit which lines of code. (An example can be seen at docs/matrix.md. More info can be found in the advanced docs, here.)

  This data is useful for many advanced testing applications - Security researcher @ JoranHonig has written two that are worth checking out.

  • vertigo: a mutation testing framework
  • tarantula: a fault localization tool

  Coverage is often a core component of fuzzing and generative test strategies because it helps narrow the range of inputs required to traverse every path in the code. If you're working on applications like this and have ideas for how solidity-coverage might serve your ends, please feel free to open an issue.

  Note to Truffle users

  solidity-coverage for Truffle is moving to its own repository and published under a different name (details soon...).

• 0.8.0-rc.test.0 - 2022-04-26
• 0.8.0-rc.1 - 2022-03-29
• 0.8.0-beta.1 - 2022-03-29
• 0.8.0-beta.0 - 2021-01-13
  

  Hi!

  This beta contains several new features. A central focus of the next major release is improving the coverage tool's branch detection.

  Beginning with this version the following syntax is measured as a branch:

  OR conditions

  When a logical expression is composed with the || operator, both sides can be considered branches. To test the entire expression

  if (a == 1 || a == 2)

  ... a must equal 1, 2 and neither of those values. (Thanks to Gnosis engineer @ rmeissner for proposing this in #175)

  

  Ternary Conditionals

  Long ago, when Solidity was 0.4, solidity-coverage treated ternary conditionals like regular if/else statements. Some language improvements v0.5 subsequently made this impossible. Now it's back...

  

  Modifier Invocations

  Solidity-coverage already covers the code within modifier definitions. However, each modifier invocation at the function level should really be considered its own branch. Some of the most critical logic in Solidity contracts is handled this way (ex: onlyOwner and nonReentrant). Testing the pass/fail cases for each occurrence of these gates protects you from accidentally removing them during a refactor or emergency patch.

  Because it's possible to write a modifier which performs a preparatory task and never reverts, there's a new option (modifierWhitelist) which allows you to exclude specific modifiers from branch measurement.

  And if you don't like modifier invocation coverage you can turn it off by setting the option measureModifierCoverage to false.

  (Many thanks to OpenZeppelin engineer @ nventuro for proposing this improvement in #286 and helping to design it.)

  

  Test Matrix

  The hardhat and truffle plugins support a new cli flag: --matrix. (Short for "test matrix".)

  This flag generates a JSON object that maps which tests in your suite hit which lines of code. (An example can be seen at docs/matrix.md. More info can be found in the advanced docs, here.)

  This data is useful for many advanced testing applications - Consensys security researcher @ JoranHonig has written two that are worth checking out.

  • vertigo: a mutation testing framework
  • tarantula: a fault localization tool

  Coverage is often a core component of fuzzing and generative test strategies because it helps narrow the range of inputs required to traverse every path in the code. If you're working on applications like this and have ideas for how solidity-coverage might serve your ends, please feel free to open an issue.

  What's Coming!

  We're hoping to get a major release out by the beginning of February (2021). It will include two additional features you can run in CI to get better feedback about what's changing in your code from PR to PR.

  • A unified diff of the public API changes in your contracts
  • Natspec documentation coverage
• 0.7.22 - 2022-09-05
• 0.7.21 - 2022-04-24
• 0.7.20 - 2022-02-15
• 0.7.19 - 2022-02-09
• 0.7.18 - 2022-01-17
• 0.7.18-eip165.0 - 2021-08-28
• 0.7.17 - 2021-08-27

from solidity-coverage GitHub release notes

Commit messages

Package name: solidity-coverage

• 4da00a8 0.8.4
• 2b20b1a Update solidity-parser to 0.16.0 (Remove admin functionality from RBAC OpenZeppelin/openzeppelin-contracts#802)
• 89882a2 0.8.3
• 5aee556 Merge branch 'master' of https://github.com/sc-forks/solidity-coverage
• e1416d9 Prepare for next hardhat version (Implement ControlledToken, contract owner can burn/mint tokens at will OpenZeppelin/openzeppelin-contracts#796)
• 9d24835 0.8.2
• 8d49be0 Bump web3-utils to ^1.3.6 (Feature/crowdsale refactor OpenZeppelin/openzeppelin-contracts#744)
• 6c7bfe7 Update changelog: 0.8.1
• ef94da3 0.8.1
• e265575 Restore web3-utils (Add Authorizable contract OpenZeppelin/openzeppelin-contracts#743)
• eca0b78 Update changelog 0.8.0
• 0a33e13 0.8.0
• 4c63612 Add hardhat to peerDependencies (Error encountered, bailing. Network state unknown. Review successful transactions manually. Error: VM Exception while processing transaction: revert OpenZeppelin/openzeppelin-contracts#722)
• 9ce20ff Typo / Grammar fix. (Fixed Contribution Guidelines link OpenZeppelin/openzeppelin-contracts#738)
• 204a5eb Added a section for the report location. (Crowdsale Refactor  OpenZeppelin/openzeppelin-contracts#739)
• ed3d504 Fix README for v0.8 release
• 05ab320 Fixes for Hardhat 2.11.0 (Test helpers reusability issue OpenZeppelin/openzeppelin-contracts#740)
• bc7d076 0.8.0 Additional Coverage Measurements & Restructure (Merge)
• a7db2fe More README changes
• 16367d1 Remove truffle files from project
• 26898c1 Remove Builder-E2E test
• 8ea8ec9 Fix true/false scoped method definition function visibilities
• 21ca46e Temporarily skip truffle integration tests
• 22992e1 Fix constructor test

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[changeset-bot]

⚠️ No Changeset found

Latest commit: e9f2b7d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR