Update @ethersproject/providers dependency to fix vulnerability in ws

[Fabricevladimir]

Description

The @ethersproject/providers dependency used by snapshot.js includes a vulnerable version of the ws package. This vulnerability has been addressed in the latest versions of ws and subsequently in @ethersproject/providers.

To resolve this issue, snapshot.js needs to update its @ethersproject/providers dependency to at least version 6.0.0, which includes the patched version of ws.

Details

• Affected Package: @ethersproject/providers
• Vulnerable Dependency: ws
• Current @ethersproject/providers Version: 5.6.x
• Fixed @ethersproject/providers Version: 6.0.0
• Severity: High

Steps to Reproduce

1. Install the current version of snapshot.js.
2. Run a vulnerability scan (e.g., npm audit or yarn audit).
3. Observe the reported vulnerability related to ws.

Recommended Action

Update the @ethersproject/providers dependency in snapshot.js to version 6.0.0 or later.

References

• ws Security Advisory
• ethers.js v 5.6.8 vulnerable ws dependency
• ethers.js 6.0.0 patched ws dependency