chore: update snapshots and audit (#367)

TucksonDev · web-flow · commit d517b4e95270 · 2025-11-26T22:04:43.000+08:00
* Update gas snapshot

* Update axios lib

* Fix yarn audit findings

* Fix deployment check

* Add new advisory to allowlist

* Test: nitro-testnode fix

* Test: add nitro-testnode branch to integration tests

* Revert testing changes

* Add new advisory
diff --git a/.gas-snapshot b/.gas-snapshot
@@ -14,7 +14,7 @@ ArbitrumFoundationVestingWalletTest:testOnlyOwnerCanMigrate() (gas: 16329757)
 ArbitrumFoundationVestingWalletTest:testOwnerCanSetBeneficiary() (gas: 16332176)
 ArbitrumFoundationVestingWalletTest:testProperlyInits() (gas: 16337546)
 ArbitrumFoundationVestingWalletTest:testRandomAddressCantSetBeneficiary() (gas: 16329656)
-ArbitrumFoundationVestingWalletTest:testRelease() (gas: 16451131)
+ArbitrumFoundationVestingWalletTest:testRelease() (gas: 16448631)
 ArbitrumVestingWalletFactoryTest:testDeploy() (gas: 4589688)
 ArbitrumVestingWalletFactoryTest:testOnlyOwnerCanCreateWallets() (gas: 1504286)
 ArbitrumVestingWalletTest:testCastVote() (gas: 16201584)
@@ -26,7 +26,7 @@ ArbitrumVestingWalletTest:testDelegateFailsForNonBeneficiary() (gas: 16008435)
 ArbitrumVestingWalletTest:testDoesDeploy() (gas: 15971342)
 ArbitrumVestingWalletTest:testReleaseAffordance() (gas: 16008649)
 ArbitrumVestingWalletTest:testVestedAmountStart() (gas: 16074917)
-E2E:testE2E() (gas: 85079542)
+E2E:testE2E() (gas: 85074542)
 FixedDelegateErc20WalletTest:testInit() (gas: 5822575)
 FixedDelegateErc20WalletTest:testInitZeroToken() (gas: 5816805)
 FixedDelegateErc20WalletTest:testTransfer() (gas: 5932218)
@@ -101,7 +101,7 @@ L2SecurityCouncilMgmtFactoryTest:testRemovalGovDeployment() (gas: 30769899)
 L2SecurityCouncilMgmtFactoryTest:testSecurityCouncilManagerDeployment() (gas: 30788992)
 NomineeGovernorV2UpgradeActionTest:testAction() (gas: 8153)
 OfficeHoursActionTest:testConstructor() (gas: 9050)
-OfficeHoursActionTest:testFuzzOfficeHoursDeployment(uint256,uint256,int256,uint256,uint256,uint256) (runs: 256, μ: 317058, ~: 317184)
+OfficeHoursActionTest:testFuzzOfficeHoursDeployment(uint256,uint256,int256,uint256,uint256,uint256) (runs: 256, μ: 317091, ~: 317184)
 OfficeHoursActionTest:testInvalidConstructorParameters() (gas: 235740)
 OfficeHoursActionTest:testPerformBeforeMinimumTimestamp() (gas: 8646)
 OfficeHoursActionTest:testPerformDuringOfficeHours() (gas: 9140)
@@ -136,7 +136,7 @@ SecurityCouncilManagerTest:testRotateMember() (gas: 259133)
 SecurityCouncilManagerTest:testUpdateCohortAffordances() (gas: 83026)
 SecurityCouncilManagerTest:testUpdateFirstCohort() (gas: 295652)
 SecurityCouncilManagerTest:testUpdateRouter() (gas: 76296)
-SecurityCouncilManagerTest:testUpdateRouterAffordacnes() (gas: 112379)
+SecurityCouncilManagerTest:testUpdateRouterAffordacnes() (gas: 109879)
 SecurityCouncilManagerTest:testUpdateSecondCohort() (gas: 295657)
 SecurityCouncilMemberElectionGovernorTest:testCannotUseMoreVotesThanAvailable() (gas: 246997)
 SecurityCouncilMemberElectionGovernorTest:testCastBySig() (gas: 302852)
@@ -153,7 +153,7 @@ SecurityCouncilMemberElectionGovernorTest:testOnlyNomineeElectionGovernorCanProp
 SecurityCouncilMemberElectionGovernorTest:testProperInitialization() (gas: 49388)
 SecurityCouncilMemberElectionGovernorTest:testProposeReverts() (gas: 32916)
 SecurityCouncilMemberElectionGovernorTest:testRelay() (gas: 42229)
-SecurityCouncilMemberElectionGovernorTest:testSelectTopNominees(uint256) (runs: 256, μ: 340066, ~: 339868)
+SecurityCouncilMemberElectionGovernorTest:testSelectTopNominees(uint256) (runs: 256, μ: 339688, ~: 339471)
 SecurityCouncilMemberElectionGovernorTest:testSelectTopNomineesFails() (gas: 273335)
 SecurityCouncilMemberElectionGovernorTest:testSetFullWeightDuration() (gas: 34951)
 SecurityCouncilMemberElectionGovernorTest:testVotesToWeight() (gas: 152898)
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -41,6 +41,12 @@
         // form-data uses unsafe random function in form-data for choosing boundary (Critical)
         "GHSA-fjxv-7rqg-78g4",
         // tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
-        "GHSA-52f5-9888-hmc6"
+        "GHSA-52f5-9888-hmc6",
+        // web3-core-subscriptions has a Prototype Pollution vulnerability
+        "GHSA-hhf6-3xpg-pggx",
+        // js-yaml has prototype pollution in merge (<<)
+        "GHSA-mh29-5h37-fv8m",
+        // body-parser is vulnerable to denial of service when url encoding is used
+        "GHSA-wqch-xfxh-vrr4"
     ]
   }
diff --git a/scripts/tokenDistributorHelper.ts b/scripts/tokenDistributorHelper.ts
@@ -200,11 +200,13 @@ export async function getRecipientsDataFromContractEvents(
   // in 100 blocks there can be 100 recipient batches => 10k events at most
   const blocksToSearch = config.GET_LOGS_BLOCK_RANGE;
   while (currentBlock <= endBlock) {
+    const blockTo = currentBlock + blocksToSearch > endBlock ? endBlock : currentBlock + blocksToSearch;
+
     // query 100 blocks
     const canClaimEvents = await tokenDistributor.queryFilter(
       canClaimFilter,
       currentBlock,
-      currentBlock + blocksToSearch
+      blockTo
     );
 
     // collect recipient-amount pairs
diff --git a/yarn.lock b/yarn.lock
@@ -1469,9 +1469,9 @@ aws4@^1.8.0:
   integrity sha512-lHe62zvbTB5eEABUVi/AwVh0ZKY9rMMDhmm+eeyuuUQbQ3+J+fONVQOZyj+DdrvD4BY33uYniyRJ4UJIaSKAfw==
 
 axios@^1.5.1, axios@^1.6.8:
-  version "1.11.0"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.11.0.tgz#c2ec219e35e414c025b2095e8b8280278478fdb6"
-  integrity sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==
+  version "1.13.2"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.13.2.tgz#9ada120b7b5ab24509553ec3e40123521117f687"
+  integrity sha512-VPk9ebNqPcy5lRGuSlKx752IlDatOjT9paPlm8A7yOuW2Fbvp4X3JznJtT4f0GzGLLiWE9W8onz51SqLYwzGaA==
   dependencies:
     follow-redirects "^1.15.6"
     form-data "^4.0.4"
@@ -4025,9 +4025,9 @@ mimic-response@^3.1.0:
   integrity sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==
 
 min-document@^2.19.0:
-  version "2.19.0"
-  resolved "https://registry.yarnpkg.com/min-document/-/min-document-2.19.0.tgz#7bd282e3f5842ed295bb748cdd9f1ffa2c824685"
-  integrity sha512-9Wy1B3m3f66bPPmU5hdA4DR4PB2OfDU/+GS3yAB7IQozE3tqXaVv2zOjgla7MEGSRv95+ILmOuvhLkOK6wJtCQ==
+  version "2.19.1"
+  resolved "https://registry.yarnpkg.com/min-document/-/min-document-2.19.1.tgz#7083ad4bc8879a6eba6516688e9f5d91d32e2d23"
+  integrity sha512-8lqe85PkqQJzIcs2iD7xW/WSxcncC3/DPVbTOafKNJDIMXwGfwXS350mH4SJslomntN2iYtFBuC0yNO3CEap6g==
   dependencies:
     dom-walk "^0.1.0"
 

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,12 @@`
`41`	`41`	`// form-data uses unsafe random function in form-data for choosing boundary (Critical)`
`42`	`42`	`"GHSA-fjxv-7rqg-78g4",`
`43`	`43`	// tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
`44`		`- "GHSA-52f5-9888-hmc6"`
	`44`	`+ "GHSA-52f5-9888-hmc6",`
	`45`	`+ // web3-core-subscriptions has a Prototype Pollution vulnerability`
	`46`	`+ "GHSA-hhf6-3xpg-pggx",`
	`47`	`+ // js-yaml has prototype pollution in merge (<<)`
	`48`	`+ "GHSA-mh29-5h37-fv8m",`
	`49`	`+ // body-parser is vulnerable to denial of service when url encoding is used`
	`50`	`+ "GHSA-wqch-xfxh-vrr4"`
`45`	`51`	`]`
`46`	`52`	`}`