Release 4.0.1

[dcousens]

Released on npm

+ bitcoinjs-lib@4.0.1

@junderw from my package-lock.json, don't know if it is useful, but maybe we can find a way to prevent some problems through iterating on the idea?

cat package-lock.json \
  | jq -c '.dependencies | select(.dev | not)' \
  | jq -r 'to_entries[] | "\"\(.key)\": \"\(.value.integrity)\""' \
  | sort

"base-x": "sha512-UYOadoSIkEI/VrRGSG6qp93rp2WdokiAiNYDfGW5qURAY8GiAQkvMbwNNSDYiVJopqv4gCna7xqf4rrNGp+5AA=="
"bech32": "sha512-yuVFUvrNcoJi0sv5phmqc6P+Fl1HjRDRNOOkHY2X/3LBy2bIGNSFx4fZ95HMaXHupuS7cZR15AsvtmCIF4UEyg=="
"bindings": "sha512-DpLh5EzMR2kzvX1KIlVC0VkC3iZtHKTgdtZ0a3pglBZdaQFjt5S9g9xd1lE+YvXyfd6mtCeRnrUfOLYiTMlNSw=="
"bip32": "sha512-kedLYj8yvYzND+EfzeoMSlGiN7ImiRBF/MClJSZPkMfcU+OQO7ZpL5L/Yg+TunebBZIHhunstiQF//KLKSF5rg=="
"bip66": "sha1-AfqHSHhcpwlV1QESF9GzE5lpyiI="
"bitcoinjs-lib": "sha512-weum3uRYWxGhAvRk+2Ch7Z3x5tKBfeuzVyoGdP1CMrGJ5Nw6plj1GVA3A+RejLDii7UM7OxgOfXgPZhLmI7+vQ=="
"bitcoin-ops": "sha512-pef6gxZFztEhaE9RY9HmWVmiIHqCb2OyS4HPKkpc6CIiiOa3Qmuoylxc5P2EkU3w+5eTSifI9SEZC88idAIGow=="
"bn.js": "sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA=="
"brorand": "sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8="
"bs58check": "sha512-okRQiWc5FJuA2VOwQ1hB7Sf0MyEFg/EwRN12h4b8HrJoGkZ3xq1CGjkaAfYloLcZyqixQnO5mhPpN6IcHSplVg=="
"bs58": "sha1-vhYedsNU9veIrkBx9j806MTwpCo="
"cipher-base": "sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q=="
"create-hash": "sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg=="
"create-hmac": "sha512-MJG9liiZ+ogc4TzUwuvbER1JRdgvUFSB5+VR/g5h82fGaIRWMWddtKBHi7/sVhfjQZ6SehlyhvQYrcYkaUIpLg=="
"elliptic": "sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8="
"hash-base": "sha1-X8hoaEfs1zSZQDMZprCj8/auSRg="
"hash.js": "sha512-eWI5HG9Np+eHV1KQhisXWwM+4EPPYe5dFX1UZZH7k/E3JzDEazVH+VGlZi6R94ZqImq+A3D1mCEtrFIfg/E7sA=="
"hmac-drbg": "sha1-0nRXAQJabHdabFRXk+1QL8DGSaE="
"inherits": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
"md5.js": "sha1-6b296UogpawYsENA/Fdk1bCdkB0="
"merkle-lib": "sha1-grjbrnXieneFOItz+ddyXQ9vMyY="
"minimalistic-assert": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="
"minimalistic-crypto-utils": "sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo="
"nan": "sha512-bAdJv7fBLhWC+/Bls0Oza+mvTaNQtP+1RyhhhvD95pgUJz6XM5IzgmxOkItJ9tkoCiplvAnXI1tNmmUD/eScyA=="
"pushdata-bitcoin": "sha1-FZMdPNlnreUiBvUjqnMxrvfUOvc="
"randombytes": "sha512-CIQ5OFxf4Jou6uOKe9t1AOgqpeU5fd70A8NPdHSGeYXqXsPe6peOwI0cUl88RWZ6sP1vPMV3avd/R6cZ5/sP1A=="
"ripemd160": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA=="
"safe-buffer": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
"sha.js": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ=="
"tiny-secp256k1": "sha512-Wd4YPIQUtNmFoszG9f4PAkpCTurF5deVrbS1KuIZ9LTo9AHmXwbl1iNTrDqT3/xI62TRi0OcVs6eXk+8OcDziQ=="
"typeforce": "sha512-fvnkvueAOFLhtAqDgIA/wMP21SMwS/NQESFKZuwVrj5m/Ew6eK2S0z0iB++cwtROPWDOhaT6OUfla8UwMw4Adg=="
"varuint-bitcoin": "sha512-jCEPG+COU/1Rp84neKTyDJQr478/hAfVp5xxYn09QEH0yBjbmPeMfuuQIrp+BUD83hybtYZKhr5elV3bvdV1bA=="
"wif": "sha1-CNP1IFbGZnkplyb63g1DKudLRwQ="

  | sha256sum
88719cf14cc011cdc66710b9ac4bface45fd43111815cc56edb189e9ed7ab573

Reminder:

Don't trust. Verify.

We recommend every user of this library and the bitcoinjs ecosystem audit and verify any underlying code for its validity and suitability.

That means, check your packages, verify they match, and never update the packages blindly without verifying their new contents.

[dcousens]

@junderw as the project progresses, maybe we move bitcoinjs-lib to import the majority of the ecosystem dependencies (bip39 etc), like a bundle.

I wouldn't want to do this without ES6 tree shaking (so ES6 exports), but, it could be a great way to package it up and provide some-semblance easy-to-verify security?

[junderw]

....... I wonder how npm publish would react to git submodules.

We could seek out all our dependencies on github and set them all up as submodules located somewhere and commit them.

Then we can remove them as dependencies from package.json.

It would be more secure... but it would create large overhead for projects, as there would be overlap (we have bip39 as a git submodule and they import bip39 as well, their webpacks etc. would have two bip39s in them)