Closed pxwise closed 3 years ago
We will update it.
Just FYI, bitcoinjs-lib does not use the affected code portion. (ECDH)
Also FYI, anyone who installs a fresh copy will automatically be updated.
$ cd $(mktemp -d)
$ npm init -y
Wrote to /tmp/tmp.Xs0z0NFYij/package.json:
{
"name": "tmp.Xs0z0NFYij",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
$ npm install tiny-secp256k1
...
+ tiny-secp256k1@1.1.6
added 23 packages from 13 contributors and audited 23 packages in 3.805s
1 package is looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ cat package-lock.json | jq -r .dependencies.elliptic.version
6.5.4
New audit vulnerability seen in bitcoinjs-lib - https://www.npmjs.com/advisories/1648. Requires an update of elliptic to >=6.5.4.