search

Zilliqa / zilliqa-js

JavaScript SDK for Zilliqa blockchain
https://www.npmjs.com/package/@zilliqa-js/zilliqa
GNU General Public License v3.0
131 stars 74 forks source link

Improve supply chain security by switching to better dependencies #462

Open paulmillr opened 2 years ago

paulmillr commented 2 years ago

Those deps from crypto package:

    "@types/elliptic": "^6.4.13",
    "elliptic": "^6.5.0",
    "hash.js": "^1.1.5",
    "hmac-drbg": "^1.0.1",
    "pbkdf2": "^3.0.16",
    "scrypt-js": "^3.0.1",
    "scryptsy": "^2.1.0",
    "sodium-randbytes": "0.14.0",

and their sub-dependencies (10+?) can be replaced by @noble/secp256k1, @noble/hashes — just two packages. This is what ethereum, solana, etc - did.

Every package is potential security vulnerability, because maintainers could get hacked and their packages could be replaced with malware. Elliptic also had 2 CVEs, which is pretty bad.

schnorr.ts can be replaced by built-in schnorr from @noble/secp256k1.