replace `secp256k1": "^4.0.2` with `tiny-secp256k1": "^2.2.0`

[motorina0]

This PR replaces secp256k1": "^4.0.2 with tiny-secp256k1": "^2.2.0 No functional changes made.

This should fix issues as the one reported here: https://github.com/bitcoinjs/bolt11/issues/43 Also tiny-secp256k1 reduces the overall number of dependencies.

[junderw]

This is a bit grey... but even though WASM is supported in 92.87% of browser share, and all currently supported versions of NodeJS support it...

A large amount of popular tooling (React, Electron, React Native etc.) are still very nascent in WASM support...

bitcoinjs-lib itself made ecc stuff modular for that reason... but tbh I am not even sure if that was the right call. It does make things more complicated to have everything become some factory that requires injecting the ecc library, most devs would expect npm install bitcoinjs-lib or npm install bolt11, or bip32 etc. will just work.

[motorina0]

Both approaches have their merits and their downsides.

Included ECC lib

Advantages

• install package and use it, no extra configs

  Disadvantages

• more advanced users might have their own version of the ECC lib that they want to use
• new version updates of the ECC dependency might result in audit requests that slow down the upgrade to latest version of the lib

Modular ECC lib

Advantages

• the user of the lib can provide its own ECC library which is already audited and works on its required environments
• usage of redundant libraries can be avoided (some libs can require secp256k1 - v3, others secp256k1 - v4 and others tiny-secp256 - v2)

Disadvantages

• a small wrapper must be created in order to match the TinySecp256k1 interface

Suggested Solution

Take the best of both approaches by using a tool like Lerna:

• use one repository, but publish two packages. One for with the ECC included, one with modular ECC.
• the bolt11 package can be shipped with tiny-secp256k1 lib included
• the bolt11-light package can be modular
  • possible suffixes: *-light, *-small, *-xs, *-min, ...

Note that business logic changes only take place in the "light" package (no duplication). While the "full" package is a wrapper that injects the ECC lib and exports the same interface. The lerna Fixed/Locked mode takes care that the versions are in sync.

Lerna

• https://lerna.js.org/
• https://github.com/lerna/lerna
• https://semaphoreci.com/blog/javascript-monorepos-lerna

[bumi]

I am currently hesitant with the wasm option - just because I had issues in my build pipeline with a dependency that used tiny-secp256k1 (but also did not want to deal with it now, seemed to me a bit too early; secp256k1 works for me)

[motorina0]

Thanks for the feedback. Closing this PR (for now).

[bumi]

I don’t think you should close it. (just wanted to share my current experience here)

On 28. Apr 2022, at 06:37, Vlad Stan @.***> wrote:

 Closed #54.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.