[Snyk] Security upgrade web3 from 6.20.4 to 7.15.0

[revan-zhang]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• python/requirements-optional.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

---

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

Devin Review found 2 potential issues.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 web3>=7.15.0 requirement breaks all Ethereum CLI commands due to removed camelCase APIs

Bumping the web3 minimum version from >=4.8 to >=7.15.0 makes all web3 API calls in the codebase fail at runtime. web3.py v7 removed the legacy camelCase method names in favor of snake_case. The codebase still uses the old names in multiple places:

All broken web3 API call sites

• python/src/trezorlib/cli/ethereum.py:393 and ethereum_onekey.py:323: isConnected() → removed, now is_connected()
• python/src/trezorlib/cli/ethereum.py:428 and ethereum_onekey.py:349: eth.estimateGas() → removed, now eth.estimate_gas()
• python/src/trezorlib/cli/ethereum.py:438 and ethereum_onekey.py:359: eth.getTransactionCount() → removed, now eth.get_transaction_count()
• python/src/trezorlib/cli/ethereum.py:467 and ethereum_onekey.py:410: eth.gasPrice → removed, now eth.gas_price
• python/src/trezorlib/cli/ethereum.py:522 and ethereum_onekey.py:478: eth.sendRawTransaction() → removed, now eth.send_raw_transaction()
• python/src/trezorlib/cli/ethereum.py:159 and ethereum_onekey.py:170: contract.encodeABI() → removed, now contract.encode_abi()

Any user who installs web3>=7.15.0 (as now required) and attempts to use the Ethereum signing/transaction commands will get AttributeError at runtime. Either the version requirement should be lowered, or all the camelCase method calls need to be updated to snake_case.

Prompt for agents

The web3 version requirement was bumped to >=7.15.0 in requirements-optional.txt, but the Python code that uses web3 still references camelCase API methods that were removed in web3 v7. All 12 call sites across python/src/trezorlib/cli/ethereum.py and python/src/trezorlib/cli/ethereum_onekey.py need to be updated to snake_case equivalents:

- isConnected() -> is_connected()
- eth.estimateGas() -> eth.estimate_gas()
- eth.getTransactionCount() -> eth.get_transaction_count()
- eth.sendRawTransaction() -> eth.send_raw_transaction()
- eth.gasPrice -> eth.gas_price
- contract.encodeABI() -> contract.encode_abi()

Additionally, python/setup.py line 30 still has web3>=4.8 in extras_require['ethereum'] and should also be updated to match the new version requirement.

Note that web3 v7 also changed some constructor and provider behaviors, so the Web3() instantiation in _get_web3() (ethereum.py:89, ethereum_onekey.py:69) should be tested to ensure it still works as expected.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 setup.py extras_require still specifies web3>=4.8, inconsistent with updated requirements-optional.txt

The PR updates requirements-optional.txt to require web3>=7.15.0, but python/setup.py:30 still declares "web3>=4.8" in extras_require["ethereum"]. Users installing via pip install trezor[ethereum] will get the old >=4.8 constraint from setup.py, potentially installing web3 v4/v5/v6, while users installing from requirements-optional.txt will get v7+. This inconsistency means different installation methods produce incompatible environments.

---

Was this helpful? React with 👍 or 👎 to provide feedback.