Insecure dependencies are used: Switch to newer, audited dependencies

algorand / js-algorand-sdk

The official JavaScript SDK for Algorand.

https://algorand.github.io/js-algorand-sdk/

MIT License

284 stars 206 forks source link

Open paulmillr opened 1 year ago

paulmillr commented 1 year ago

js-sha256, js-sha3, js-sha512 - can be replaced with noble-hashes, which were audited and developed with a grant from Ethereum Foundation
tweetnacl - can be replaced with noble-curves which uses noble-hashes
hi-base32 - can be replaced with audited scure-base

All of the packages are as minimal as possible, support esm, source maps, typescript, etc.

jasonpaulos commented 1 year ago

@paulmillr you are the author of these libraries? I see that noble-hashes and scure-base have been audited, but noble-curves has not?

paulmillr commented 1 year ago

@jasonpaulos yeah. I am hoping to publish the curves audit soon as well.

paulmillr commented 1 year ago

curves have been audited, so all good for now