[Snyk] Security upgrade web3 from 6.20.4 to 7.15.0#194
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-WEB3-15907867
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| @@ -1,5 +1,5 @@ | |||
| hidapi >= 0.7.99.post20 | |||
| web3 >= 4.8 | |||
| web3>=7.15.0 | |||
There was a problem hiding this comment.
🟡 setup.py ethereum extra still requires web3>=4.8, inconsistent with requirements-optional.txt bump to >=7.15.0
The PR updates requirements-optional.txt to web3>=7.15.0, but python/setup.py:30 still specifies "web3>=4.8" in the ethereum extras_require. Users installing via pip install trezor[ethereum] will resolve web3 from setup.py, potentially getting a version different from what requirements-optional.txt mandates. This inconsistency should be resolved by updating setup.py to match.
Prompt for agents
The web3 version requirement was updated in python/requirements-optional.txt to >=7.15.0 but not in python/setup.py line 30, which still has web3>=4.8 in the ethereum extras_require. Update python/setup.py line 30 to change web3>=4.8 to web3>=7.15.0 so both files are consistent. Note that bumping to web3 v7 also requires updating the camelCase web3 API calls in python/src/trezorlib/cli/ethereum.py (see BUG-0002 for details).
Was this helpful? React with 👍 or 👎 to provide feedback.
| @@ -1,5 +1,5 @@ | |||
| hidapi >= 0.7.99.post20 | |||
| web3 >= 4.8 | |||
| web3>=7.15.0 | |||
There was a problem hiding this comment.
🔴 web3 v7 requirement breaks existing code that uses removed camelCase API methods
Bumping the web3 requirement to >=7.15.0 breaks python/src/trezorlib/cli/ethereum.py because web3 v5+ migrated from camelCase to snake_case, and v7 removed the old names entirely. Six call sites will raise AttributeError at runtime:
Affected call sites
ethereum.py:297:isConnected()→ should beis_connected()ethereum.py:323:eth.estimateGas()→ should beeth.estimate_gas()ethereum.py:333:eth.getTransactionCount()→ should beeth.get_transaction_count()ethereum.py:356:eth.gasPrice→ should beeth.gas_priceethereum.py:410:eth.sendRawTransaction()→ should beeth.send_raw_transaction()ethereum.py:156:contract.encodeABI()→ should becontract.encode_abi()
Prompt for agents
The web3 requirement was bumped to >=7.15.0 in python/requirements-optional.txt, but the code in python/src/trezorlib/cli/ethereum.py still uses the old camelCase web3 v4 API that was removed in web3 v5+/v7. The following methods need to be updated to their snake_case equivalents:
1. Line 156: contract.encodeABI("transfer", ...) -> contract.encode_abi("transfer", ...)
2. Line 297: _get_web3().isConnected() -> _get_web3().is_connected()
3. Line 323: _get_web3().eth.estimateGas({...}) -> _get_web3().eth.estimate_gas({...})
4. Line 333: _get_web3().eth.getTransactionCount(from_address) -> _get_web3().eth.get_transaction_count(from_address)
5. Line 356: _get_web3().eth.gasPrice -> _get_web3().eth.gas_price
6. Line 410: _get_web3().eth.sendRawTransaction(tx_hex) -> _get_web3().eth.send_raw_transaction(tx_hex)
Additionally, web3 v7 may have other breaking changes (e.g. the contract constructor API, provider configuration) that should be verified by testing the full ethereum CLI workflow.
Was this helpful? React with 👍 or 👎 to provide feedback.
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
python/requirements-optional.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)