Skip to content

chore: patch chainsafe/discv5#17806

Merged
AztecBot merged 1 commit intonextfrom
mralj/chore/patch-chainsafe-disv5-v5
Oct 20, 2025
Merged

chore: patch chainsafe/discv5#17806
AztecBot merged 1 commit intonextfrom
mralj/chore/patch-chainsafe-disv5-v5

Conversation

@mralj
Copy link
Contributor

@mralj mralj commented Oct 18, 2025
edited
Loading

Removed dependency on bigint-buffer by patching discv5.
Repo link

The applied changes are inspired by this PR, but the changeset is much smaller -- I have only removed the dependency on bigint-buffer and made it work, because previous attempts made code flaky.

This has been done to remove vulnerable transitive dependency (link)

@socket-security
Copy link

socket-security bot commented Oct 18, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​nethermindeth/​enr@​3.0.0-backport-306-v4751007091100
Addednpm/​@​nethermindeth/​discv5@​9.0.0-backport-306-v4781008891100

View full report

@socket-security
Copy link

socket-security bot commented Oct 18, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
npm/bcrypto@5.5.2 has Native code.

Location: Package overview

From: ?npm/@nethermindeth/discv5@9.0.0-backport-306-v4npm/bcrypto@5.5.2

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bcrypto@5.5.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@mralj mralj force-pushed the mralj/chore/patch-chainsafe-disv5-v5 branch 2 times, most recently from b3e3b04 to 3ad05fa Compare October 19, 2025 05:39
@mralj mralj marked this pull request as ready for review October 19, 2025 11:38
@mralj mralj requested a review from spalladino October 19, 2025 11:38
@mralj mralj enabled auto-merge October 19, 2025 11:40
@mralj mralj self-assigned this Oct 19, 2025
@mralj mralj added this pull request to the merge queue Oct 20, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Oct 20, 2025
@mralj mralj added this pull request to the merge queue Oct 20, 2025
@mralj mralj removed this pull request from the merge queue due to a manual request Oct 20, 2025
@mralj
chore: patch chainsafe/discv5
b89c66c 
Removed dependency on bigint-buffer by patching discv5.
Repo [link](ChainSafe/discv5@master...NethermindEth:discv5:mralj/chore/backport-306-v3)

The applied changes are inspired by [this PR](ChainSafe/discv5#306), but the changeset is much smaller -- I have only removed the dependency on `bigint-buffer` and made it work, because previous attempts made code flaky.

This has been done to remove vulnerable transitive dependency ([link](https://github.com/AztecProtocol/aztec-packages/security/dependabot/395))
@AztecBot AztecBot force-pushed the mralj/chore/patch-chainsafe-disv5-v5 branch from d110ea8 to b89c66c Compare October 20, 2025 14:31
@AztecBot AztecBot enabled auto-merge October 20, 2025 14:31
@AztecBot AztecBot added this pull request to the merge queue Oct 20, 2025
@mralj
Copy link
Contributor Author

mralj commented Oct 20, 2025

@PhilWindle ci.grind passes (5 different runs) leaving it in the merge q

Merged via the queue into next with commit a08d4ca Oct 20, 2025
15 checks passed
@AztecBot AztecBot deleted the mralj/chore/patch-chainsafe-disv5-v5 branch October 20, 2025 15:13
@mralj mralj mentioned this pull request Oct 23, 2025
Merged
mralj added a commit that referenced this pull request Oct 23, 2025
@mralj
chore: backport discv5 patch #17806 (#17897)
dbf7a1b 
Backport of: #17806
@AztecBot AztecBot mentioned this pull request Nov 5, 2025
Merged
ludamad pushed a commit that referenced this pull request Dec 16, 2025
@mralj @ludamad
chore: patch chainsafe/discv5 (#17806)
3f5877a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PhilWindle PhilWindle PhilWindle approved these changes

@spalladino spalladino Awaiting requested review from spalladino

Assignees

@mralj mralj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mralj @PhilWindle @AztecBot