git-addressed dependencies add bloat and security risks to users of this SDK

[zzmp]

Dependencies are specified using git addresses (or addresses with hashes). This means they can never coalesce with other dependencies - if a user uses ethereumjs-abi or wyvern, they will always have multiple copies.

Dependencies should only be specified using the npm package with semver. This enables the package to be re-used by other packages (or the application), greatly reducing bundle size. This is also a security risk, as the packages can never be updated (they are pegged to a specific hash). If a bug is found with one of the pegged packages, then opensea-js will expose that bug, too.

If this was done because the pegged versions have specific fixes, it makes it pretty much unusable for projects that are "watching their weight", because it means that using "resolutions" in the package.json will probably break opensea-js.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. If you believe this was a mistake, please comment.