Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Improve supply chain security by switching to better dependencies #462

Open
paulmillr opened this issue Sep 19, 2022 · 0 comments
Open

Improve supply chain security by switching to better dependencies #462

paulmillr opened this issue Sep 19, 2022 · 0 comments

Comments

@paulmillr
Copy link

paulmillr commented Sep 19, 2022
edited

Those deps from crypto package:

    "@types/elliptic": "^6.4.13",
    "elliptic": "^6.5.0",
    "hash.js": "^1.1.5",
    "hmac-drbg": "^1.0.1",
    "pbkdf2": "^3.0.16",
    "scrypt-js": "^3.0.1",
    "scryptsy": "^2.1.0",
    "sodium-randbytes": "0.14.0",

and their sub-dependencies (10+?) can be replaced by @noble/secp256k1, @noble/hashes — just two packages. This is what ethereum, solana, etc - did.

Every package is potential security vulnerability, because maintainers could get hacked and their packages could be replaced with malware. Elliptic also had 2 CVEs, which is pretty bad.

schnorr.ts can be replaced by built-in schnorr from @noble/secp256k1.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paulmillr