[Security] update browserify-sign to the latest

[rastorc3v]

Current browserify-sign version has elliptic in dependency which contains security issue. Please update browserify-sign to fix it.

[mkilpatrick]

Semgrep also calls this out with the following information:

Affected versions of browserify-sign are vulnerable to Improper Verification Of Cryptographic Signature. The vulnerability lies in the checkValue function incorrectly verifying the upper bounds of the r and s components in a signature, enabling attackers to manipulate the s component by setting it to the prime number q, thereby simulating a zero value for s and potentially resulting in the unauthorized acceptance of maliciously signed messages during signature verification.

[ljharb]

@mkilpatrick that sounds like something different - if elliptic has a vulnerability, then that package needs to fix it. The CVE you reference was fixed in browserify-sign 4-5 months ago (https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30) and is in v4.2.2 of that package.

[ljharb]

if elliptic has a vulnerability, then that package needs to fix it - if there's a specific CVE, please link it.