[CCTPE-2158] Resolve security vulnerabilities in dependencies (circlefin#73)

### Summary
This PR addresses 9 critical security vulnerabilities by updating
vulnerable dependencies.

### Changes
- JavaScript deps (docs/): Updated web3 `v1.8.1` -> `v4.16.0` and
related packages
- Python deps: Updated protobuf v3.20.2 → v6.32.0, web3 v5.30.0 →
v6.20.3, cytoolz v0.12.0 → v0.12.3
- Code fix: Updated Web3 import syntax for v4 compatibility in
docs/index.js
- CI fix: Added .licenseignore to bypass license scanning for essential
security packages

### Vulnerabilities Fixed
- VULN-5014 (sha.js), VULN-5008 (cipher-base), VULN-4580 (form-data)
- VULN-4115/4114 (pbkdf2), VULN-3960 (protobuf - fully resolved),
VULN-3661 (base-x)
- VULN-2119 (path-to-regexp), VULN-2014 (body-parser)

### Testing

- [x] Security audits: 0 vulnerabilities
- [x] Linter, docs sample script, anvil scripts: All working

### Notes
- [x] Ready for public repo sync after merge

Author: sgupta-circle

.licenseignore

@@ -0,0 +1,4 @@
+pkg:npm/web3@4.16.0
+pkg:npm/@ethereumjs/rlp@5.0.2
+pkg:pypi/cytoolz@0.12.3
+pkg:pypi/protobuf@6.32.0

anvil/crosschainTransferIT.py

@@ -18,25 +18,26 @@
 
 from typing import List, Dict
 from web3 import Web3
+from eth_account import Account
 import solcx
 import unittest
 import time
 
 # All addresses are automatically generated by anvil at startup
 addresses = {
-    "attester": Web3.toChecksumAddress("0xbcd4042de499d14e55001ccbb24a551f3b954096"),
-    "eth_usdc_master_minter": Web3.toChecksumAddress("0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"),
-    "eth_message_transmitter_deployer": Web3.toChecksumAddress("0x3c44cdddb6a900fa2b585dd299e03d12fa4293bc"),
-    "eth_token_messenger_deployer": Web3.toChecksumAddress("0x90f79bf6eb2c4f870365e785982e1f101e93b906"),
-    "eth_token_minter_deployer": Web3.toChecksumAddress("0x15d34aaf54267db7d7c367839aaf71a00a2c6a65"),
-    "eth_token_messenger_user": Web3.toChecksumAddress("0x23618e81e3f5cdf7f54c3d65f7fbc0abf5b21e8f"),
-    "eth_token_controller": Web3.toChecksumAddress("0x71be63f3384f5fb98995898a86b02fb2426c5788"),
-    "avax_usdc_master_minter": Web3.toChecksumAddress("0x70997970c51812dc3a010c7d01b50e0d17dc79c8"),
-    "avax_message_transmitter_deployer": Web3.toChecksumAddress("0x9965507d1a55bcc2695c58ba16fb37d819b0a4dc"),
-    "avax_token_messenger_deployer": Web3.toChecksumAddress("0x976ea74026e726554db657fa54763abd0c3a0aa9"),
-    "avax_token_minter_deployer": Web3.toChecksumAddress("0x14dc79964da2c08b23698b3d3cc7ca32193d9955"),
-    "avax_token_messenger_user": Web3.toChecksumAddress("0xa0ee7a142d267c1f36714e4a8f75612f20a79720"),
-    "avax_token_controller": Web3.toChecksumAddress("0xfabb0ac9d68b0b445fb7357272ff202c5651694a"),
+    "attester": Web3.to_checksum_address("0xbcd4042de499d14e55001ccbb24a551f3b954096"),
+    "eth_usdc_master_minter": Web3.to_checksum_address("0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"),
+    "eth_message_transmitter_deployer": Web3.to_checksum_address("0x3c44cdddb6a900fa2b585dd299e03d12fa4293bc"),
+    "eth_token_messenger_deployer": Web3.to_checksum_address("0x90f79bf6eb2c4f870365e785982e1f101e93b906"),
+    "eth_token_minter_deployer": Web3.to_checksum_address("0x15d34aaf54267db7d7c367839aaf71a00a2c6a65"),
+    "eth_token_messenger_user": Web3.to_checksum_address("0x23618e81e3f5cdf7f54c3d65f7fbc0abf5b21e8f"),
+    "eth_token_controller": Web3.to_checksum_address("0x71be63f3384f5fb98995898a86b02fb2426c5788"),
+    "avax_usdc_master_minter": Web3.to_checksum_address("0x70997970c51812dc3a010c7d01b50e0d17dc79c8"),
+    "avax_message_transmitter_deployer": Web3.to_checksum_address("0x9965507d1a55bcc2695c58ba16fb37d819b0a4dc"),
+    "avax_token_messenger_deployer": Web3.to_checksum_address("0x976ea74026e726554db657fa54763abd0c3a0aa9"),
+    "avax_token_minter_deployer": Web3.to_checksum_address("0x14dc79964da2c08b23698b3d3cc7ca32193d9955"),
+    "avax_token_messenger_user": Web3.to_checksum_address("0xa0ee7a142d267c1f36714e4a8f75612f20a79720"),
+    "avax_token_controller": Web3.to_checksum_address("0xfabb0ac9d68b0b445fb7357272ff202c5651694a"),
 }
 
 # All keys correspond with the addresses generated by anvil at startup
@@ -157,7 +158,7 @@ def to_32byte_hex(self, address):
         """
         Converts a hex address to its zero-padded 32-byte representation.
         """
-        return Web3.toHex(Web3.toBytes(hexstr=address).rjust(32, b'\0'))
+        return Web3.to_hex(Web3.to_bytes(hexstr=address).rjust(32, b'\0'))
 
     def confirm_transaction(self, tx_hash, timeout=30):
         """
@@ -178,7 +179,7 @@ def confirm_transaction(self, tx_hash, timeout=30):
     def setUp(self):
         # Connect to node
         self.w3 = Web3(Web3.HTTPProvider('http://0.0.0.0:8545'))
-        assert self.w3.isConnected()
+        assert self.w3.is_connected()
 
         # Deploy and initialize USDC on ETH
         self.eth_usdc = self.deploy_contract_from_source('lib/centre-tokens.git/contracts/v2/FiatTokenV2_1.sol', 'FiatTokenV2_1', '0.6.12')
@@ -193,7 +194,7 @@ def setUp(self):
             addresses["eth_usdc_master_minter"]
         ), "eth_usdc_master_minter")
         self.send_transaction(self.eth_usdc.functions.initializeV2("USDC"), "eth_usdc_master_minter")
-        self.send_transaction(self.eth_usdc.functions.initializeV2_1(Web3.toChecksumAddress("0xb794f5ea0ba39494ce839613fffba74279579268")), "eth_usdc_master_minter")
+        self.send_transaction(self.eth_usdc.functions.initializeV2_1(Web3.to_checksum_address("0xb794f5ea0ba39494ce839613fffba74279579268")), "eth_usdc_master_minter")
 
         # Deploy and initialize USDC on AVAX
         self.avax_usdc = self.deploy_contract_from_source('lib/centre-tokens.git/contracts/v2/FiatTokenV2_1.sol', 'FiatTokenV2_1', '0.6.12')
@@ -208,7 +209,7 @@ def setUp(self):
             addresses["avax_usdc_master_minter"]
         ), "avax_usdc_master_minter")
         self.send_transaction(self.avax_usdc.functions.initializeV2("USDC"), "avax_usdc_master_minter")
-        self.send_transaction(self.avax_usdc.functions.initializeV2_1(Web3.toChecksumAddress("0xb794f5ea0ba39494ce839613fffba74279579268")), "avax_usdc_master_minter")
+        self.send_transaction(self.avax_usdc.functions.initializeV2_1(Web3.to_checksum_address("0xb794f5ea0ba39494ce839613fffba74279579268")), "avax_usdc_master_minter")
 
         # Deploy and construct required token messenger contracts for ETH
         self.eth_message = self.deploy_contract_from_source('src/messages/Message.sol', 'Message')
@@ -274,9 +275,10 @@ def test_crosschain_transfer(self):
         self.verify_balances(100, 0)
 
         # parse MessageSent event emitted by avax_message_transmitter
-        avax_message_sent_filter = self.avax_message_transmitter.events.MessageSent.createFilter(fromBlock="0x0")
+        avax_message_sent_filter = self.avax_message_transmitter.events.MessageSent.create_filter(fromBlock="0x0")
         avax_message_bytes = avax_message_sent_filter.get_new_entries()[0]['args']['message']
-        avax_signed_message_bytes = self.w3.eth.account.signHash(Web3.keccak(avax_message_bytes), keys["attester"]).signature
+        attester_account = Account.from_key(keys["attester"])
+        avax_signed_message_bytes = attester_account.signHash(Web3.keccak(avax_message_bytes)).signature
 
         # receiveMessage with eth_message_transmitter to eth_token_messenger_user
         self.send_transaction(self.eth_message_transmitter.functions.receiveMessage(avax_message_bytes, avax_signed_message_bytes), "eth_token_messenger_user")
@@ -290,9 +292,9 @@ def test_crosschain_transfer(self):
         self.verify_balances(100, 0)
 
         # parse MessageSent event emitted by eth_message_transmitter
-        eth_message_sent_filter = self.eth_message_transmitter.events.MessageSent.createFilter(fromBlock="0x0")
+        eth_message_sent_filter = self.eth_message_transmitter.events.MessageSent.create_filter(fromBlock="0x0")
         eth_message_bytes = eth_message_sent_filter.get_new_entries()[0]['args']['message']
-        eth_signed_message_bytes = self.w3.eth.account.signHash(Web3.keccak(eth_message_bytes), keys["attester"]).signature
+        eth_signed_message_bytes = attester_account.signHash(Web3.keccak(eth_message_bytes)).signature
 
         # receiveMessage with avax_message_transmitter to avax_token_messenger_user
         self.send_transaction(self.avax_message_transmitter.functions.receiveMessage(eth_message_bytes, eth_signed_message_bytes), "avax_token_messenger_user")

anvil/crosschainTransferITV2.py

@@ -1,5 +1,6 @@
 from typing import List, Dict
 from web3 import Web3
+from eth_account import Account
 import solcx
 import unittest
 import time
@@ -174,16 +175,17 @@ def update_and_sign_emitted_message(self, message_bytes):
             fee_executed_index_start : fee_executed_index_start + fee_executed_length
         ] = fee_executed.to_bytes(32, "big")
         signable_bytes = bytes(mutable_message_bytes)
-        signed_bytes = self.w3.eth.account.signHash(
-            Web3.keccak(signable_bytes), keys["attester"]
+        attester_account = Account.from_key(keys["attester"])
+        signed_bytes = attester_account.signHash(
+            Web3.keccak(signable_bytes)
         ).signature
         return signable_bytes, signed_bytes
 
     def to_32byte_hex(self, address):
         """
         Converts a hex address to its zero-padded 32-byte representation.
         """
-        return Web3.toHex(Web3.toBytes(hexstr=address).rjust(32, b"\0"))
+        return Web3.to_hex(Web3.to_bytes(hexstr=address).rjust(32, b"\0"))
 
     def confirm_transaction(self, tx_hash, timeout=30):
         """
@@ -206,7 +208,7 @@ def confirm_transaction(self, tx_hash, timeout=30):
     def setUp(self):
         # Connect to node
         self.w3 = Web3(Web3.HTTPProvider("http://0.0.0.0:8545"))
-        assert self.w3.isConnected()
+        assert self.w3.is_connected()
 
         # Deploy and initialize USDC on ETH
         self.eth_usdc = self.deploy_contract_from_source(
@@ -232,7 +234,7 @@ def setUp(self):
         )
         self.send_transaction(
             self.eth_usdc.functions.initializeV2_1(
-                Web3.toChecksumAddress("0xb794f5ea0ba39494ce839613fffba74279579268")
+                Web3.to_checksum_address("0xb794f5ea0ba39494ce839613fffba74279579268")
             ),
             "eth_usdc_master_minter",
         )
@@ -261,7 +263,7 @@ def setUp(self):
         )
         self.send_transaction(
             self.avax_usdc.functions.initializeV2_1(
-                Web3.toChecksumAddress("0xb794f5ea0ba39494ce839613fffba74279579268")
+                Web3.to_checksum_address("0xb794f5ea0ba39494ce839613fffba74279579268")
             ),
             "avax_usdc_master_minter",
         )
@@ -554,7 +556,7 @@ def test_crosschain_transfer(self):
 
         # parse MessageSent event emitted by avax_message_transmitter
         avax_message_sent_filter = (
-            self.avax_message_transmitter.events.MessageSent.createFilter(
+            self.avax_message_transmitter.events.MessageSent.create_filter(
                 fromBlock="0x0"
             )
         )
@@ -600,7 +602,7 @@ def test_crosschain_transfer(self):
 
         # parse MessageSent event emitted by eth_message_transmitter
         eth_message_sent_filter = (
-            self.eth_message_transmitter.events.MessageSent.createFilter(
+            self.eth_message_transmitter.events.MessageSent.create_filter(
                 fromBlock="0x0"
             )
         )

docs/index.js

@@ -1,5 +1,5 @@
 require("dotenv").config();
-const Web3 = require('web3')
+const { Web3 } = require('web3')
 
 const tokenMessengerAbi = require('./abis/cctp/TokenMessenger.json');
 const messageAbi = require('./abis/cctp/Message.json');