and their sub-dependencies (10+?) can be replaced by @noble/secp256k1, @noble/hashes — just two packages. This is what ethereum, solana, etc - did.
Every package is potential security vulnerability, because maintainers could get hacked and their packages could be replaced with malware. Elliptic also had 2 CVEs, which is pretty bad.
schnorr.ts can be replaced by built-in schnorr from @noble/secp256k1.
Those deps from
crypto
package:and their sub-dependencies (10+?) can be replaced by
@noble/secp256k1
,@noble/hashes
— just two packages. This is what ethereum, solana, etc - did.Every package is potential security vulnerability, because maintainers could get hacked and their packages could be replaced with malware. Elliptic also had 2 CVEs, which is pretty bad.
schnorr.ts
can be replaced by built-in schnorr from@noble/secp256k1
.