[Snyk] Security upgrade ethers from 5.7.2 to 6.0.0

.github/workflows/snyk-security.yml

@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
+# Snyk Container and Snyk Infrastructure as Code)
+# The setup installs the Snyk CLI - for more details on the possible commands
+# check https://docs.snyk.io/snyk-cli/cli-reference
+# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
+#
+# In order to use the Snyk Action you will need to have a Snyk API token.
+# More details in https://github.com/snyk/actions#getting-your-snyk-token
+# or you can signup for free at https://snyk.io/login
+#
+# For more examples, including how to limit scans to only high-severity issues
+# and fail PR checks, see https://github.com/snyk/actions/
+
+name: Snyk Security
+
+on:
+  push:
+    branches: ["develop" ]
+  pull_request:
+    branches: ["develop"]
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Snyk CLI to check for security issues
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the SAST issues to GitHub Code Scanning
+        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+        # For Snyk Open Source you must first set up the development environment for your application's dependencies
+        # For example for Node
+        #- uses: actions/setup-node@v3
+        #  with:
+        #    node-version: 16
+
+        env:
+          # This is where you will need to introduce the Snyk API token created with your Snyk account
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
+        # Use || true to not fail the pipeline
+      - name: Snyk Code test
+        run: snyk code test --sarif > snyk-code.sarif # || true
+
+        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
+      - name: Snyk Open Source monitor
+        run: snyk monitor --all-projects
+
+        # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
+        # Use || true to not fail the pipeline.
+      - name: Snyk IaC test and report
+        run: snyk iac test --report # || true
+
+        # Build the docker image for testing
+      - name: Build a Docker image
+        run: docker build -t your/image-to-test .
+        # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
+      - name: Snyk Container monitor
+        run: snyk container monitor your/image-to-test --file=Dockerfile
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-code.sarif

azure-pipelines.yml

@@ -0,0 +1,23 @@
+# Jekyll site
+# Package your Jekyll site using the jekyll/builder Docker container image.
+# Add steps that build, test, save build artifacts, deploy, and more:
+# https://aka.ms/yaml
+
+trigger:
+- develop
+
+pool:
+  vmImage: ubuntu-latest
+
+steps:
+- task: Docker@0
+  displayName: 'Run Jekyll'
+  inputs:
+    containerRegistryType: 'Container Registry'
+    action: 'Run an image'
+    imageName: 'jekyll/builder:latest'
+    volumes: |
+      $(build.sourcesDirectory):/srv/jekyll
+      $(build.binariesDirectory):/srv/jekyll/_site
+    containerCommand: 'jekyll build --future'
+    detached: false

go.mod

@@ -39,10 +39,10 @@ require (
 	github.com/prometheus/client_golang v1.17.0
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli/v2 v2.26.0
-	golang.org/x/crypto v0.16.0
+	golang.org/x/crypto v0.19.0
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/sync v0.5.0
-	golang.org/x/term v0.15.0
+	golang.org/x/term v0.17.0
 	golang.org/x/time v0.5.0
 	gorm.io/driver/postgres v1.5.4
 	gorm.io/gorm v1.25.5
@@ -199,7 +199,7 @@ require (
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.14.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect

go.sum

@@ -767,8 +767,8 @@ golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
@@ -877,13 +877,13 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

indexer/Dockerfile

@@ -20,7 +20,7 @@ WORKDIR /app/indexer
 
 RUN make indexer
 
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /app/indexer/indexer /usr/local/bin
 COPY --from=builder /app/indexer/indexer.toml /app/indexer/indexer.toml

op-batcher/Dockerfile

@@ -2,7 +2,7 @@ ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
 
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /usr/local/bin/op-batcher /usr/local/bin/op-batcher
 

op-challenger/Dockerfile

@@ -2,7 +2,7 @@ ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
 
-FROM alpine:3.18
+FROM alpine:3
 
 # Make the bundled op-program the default cannon server
 COPY --from=builder /usr/local/bin/op-program /usr/local/bin/op-program

op-exporter/Dockerfile

@@ -7,7 +7,7 @@ WORKDIR /app/
 RUN apk --no-cache add make bash jq git
 RUN make build
 
-FROM alpine:3.18
+FROM alpine:3
 RUN apk --no-cache add ca-certificates
 WORKDIR /root/
 COPY --from=builder /app/op-exporter /usr/local/bin/

op-heartbeat/Dockerfile

@@ -2,7 +2,7 @@ ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
 
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /usr/local/bin/op-heartbeat /usr/local/bin/op-heartbeat
 

op-node/Dockerfile

@@ -2,7 +2,7 @@ ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
 
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /usr/local/bin/op-node /usr/local/bin/op-node
 

op-program/Dockerfile

@@ -2,7 +2,7 @@ ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
 
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /usr/local/bin/op-program /usr/local/bin/op-program
 

op-proposer/Dockerfile

@@ -2,7 +2,7 @@ ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
 
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /usr/local/bin/op-proposer /usr/local/bin/op-proposer
 

op-wheel/Dockerfile

@@ -1,7 +1,7 @@
 ARG OP_STACK_GO_BUILDER=us-docker.pkg.dev/oplabs-tools-artifacts/images/op-stack-go:latest
 FROM $OP_STACK_GO_BUILDER as builder
 # See "make golang-docker" and /ops/docker/op-stack-go
-FROM alpine:3.18
+FROM alpine:3
 
 COPY --from=builder /app/op-wheel/bin/op-wheel /usr/local/bin
 

ops-bedrock/Dockerfile.l1

@@ -1,4 +1,4 @@
-FROM ethereum/client-go:v1.13.5
+FROM ethereum/client-go:v1.13.13
 
 RUN apk add --no-cache jq bash
 

ops-bedrock/Dockerfile.stateviz

@@ -15,7 +15,7 @@ COPY ./op-node /app/op-node
 
 RUN go build -o ./bin/stateviz ./cmd/stateviz
 
-FROM alpine:3.19
+FROM alpine:3
 
 COPY --from=builder /app/op-node/bin/stateviz /usr/local/bin
 

ops/check-changed/requirements.txt

@@ -1,12 +1,12 @@
-certifi==2023.7.22
+certifi==2024.7.4
 cffi==1.15.1
 charset-normalizer==2.1.1
 Deprecated==1.2.13
-idna==3.4
+idna==3.7
 pycparser==2.21
 PyGithub==1.57
 PyJWT==2.6.0
 PyNaCl==1.5.0
-requests==2.28.1
-urllib3==1.26.18
+requests==2.32.2
+urllib3==1.26.19
 wrapt==1.14.1

ops/docker/Dockerfile.packages

@@ -35,7 +35,7 @@ FROM us-docker.pkg.dev/oplabs-tools-artifacts/images/ci-builder:latest as foundr
 # we use it rather than alpine because it's not much
 # bigger and alpine is often missing packages for node applications
 # alpine is not officially supported by node.js
-FROM node:20.8.1-bullseye-slim as base
+FROM node:20.16-bullseye-slim as base
 
 # Base: install deps
 RUN apt-get update && apt-get install -y \

ops/docker/ci-builder/Dockerfile

@@ -54,7 +54,7 @@ RUN go install gotest.tools/gotestsum@latest
 RUN go install github.com/vektra/mockery/[email protected]
 RUN go install github.com/golangci/golangci-lint/cmd/[email protected]
 
-FROM --platform=linux/amd64 python:3.11.4-slim-bullseye
+FROM --platform=linux/amd64 python:3.13.0rc1-slim-bullseye
 
 ENV GOPATH=/go
 ENV PATH=/usr/local/go/bin:$GOPATH/bin:$PATH

ops/tag-service/requirements.txt

@@ -1,2 +1,3 @@
 click==8.1.3
 semver==3.0.0-dev4
+zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

package.json

@@ -55,7 +55,7 @@
     "chai": "^4.3.10",
     "depcheck": "^1.4.7",
     "doctoc": "^2.2.0",
-    "eslint": "^8.55.0",
+    "eslint": "^8.57.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-config-standard": "^16.0.3",
     "eslint-plugin-import": "^2.29.0",

packages/chain-mon/package.json

@@ -55,7 +55,7 @@
     "chai-as-promised": "^7.1.1",
     "dateformat": "^4.5.1",
     "dotenv": "^16.3.1",
-    "ethers": "^5.7.2"
+    "ethers": "^6.0.0"
   },
   "devDependencies": {
     "@ethersproject/abstract-provider": "^5.7.0",

packages/common-ts/package.json

@@ -41,7 +41,7 @@
     "commander": "^11.1.0",
     "dotenv": "^16.3.1",
     "envalid": "^8.0.0",
-    "ethers": "^5.7.2",
+    "ethers": "^6.0.0",
     "express": "^4.18.2",
     "express-prom-bundle": "^6.6.0",
     "lodash": "^4.17.21",

packages/contracts-bedrock/package.json

@@ -48,7 +48,25 @@
     "lint:ts:fix": "eslint --fix .",
     "lint:contracts:fix": "forge fmt",
     "lint:fix": "pnpm lint:contracts:fix && pnpm lint:ts:fix",
-    "lint": "pnpm lint:fix && pnpm lint:check"
+    "lint": "pnpm lint:fix && pnpm lint:
+    "lint:contracts:fix": "yarn solhint --fix 'contracts/**/*.sol' && yarn prettier --write 'contracts/**/*.sol'",
+    "lint:fix": "yarn lint:contracts:fix && yarn lint:ts:fix",
+    "lint": "yarn lint:fix && yarn lint:check",
+    "typechain": "typechain --target ethers-v5 --out-dir dist/types --glob 'artifacts/!(build-info)/**/+([a-zA-Z0-9_]).json'",
+    "echidna:aliasing": "echidna-test --contract EchidnaFuzzAddressAliasing --config ./echidna.yaml .",
+    "echidna:burn:gas": "echidna-test --contract EchidnaFuzzBurnGas --config ./echidna.yaml .",
+    "echidna:burn:eth": "echidna-test --contract EchidnaFuzzBurnEth --config ./echidna.yaml .",
+    "echidna:encoding": "echidna-test --contract EchidnaFuzzEncoding --config ./echidna.yaml .",
+    "echidna:portal": "echidna-test --contract EchidnaFuzzOptimismPortal --config ./echidna.yaml .",
+    "echidna:hashing": "echidna-test --contract EchidnaFuzzHashing --config ./echidna.yaml .",
+    "echidna:metering": "echidna-test --contract EchidnaFuzzResourceMetering --config ./echidna.yaml ."
+  },
+  "dependencies": {
+    "@eth-optimism/core-utils": "^0.12.0",
+    "@openzeppelin/contracts": "4.7.3",
+    "@openzeppelin/contracts-upgradeable": "4.7.3",
+    "ethers": "^5.7.0",
+    "hardhat": "^2.9.8"
   },
   "devDependencies": {
     "@typescript-eslint/eslint-plugin": "^6.13.2",

packages/core-utils/package.json

@@ -45,7 +45,7 @@
     "@ethersproject/rlp": "^5.7.0",
     "@ethersproject/web": "^5.7.1",
     "chai": "^4.3.10",
-    "ethers": "^5.7.2",
+    "ethers": "^6.0.0",
     "node-fetch": "^2.6.7"
   },
   "devDependencies": {