Open paulmillr opened 1 year ago
I fully second what @paulmillr just suggested.
Except that I would also suggest to remove minimalistic-assert
and minimalistic-crypto-utils
from the dependencies too.
Those packages are respectively 10 and 58 lines of code who haven't been updated for 4 and 6 years, just copy them in code's project. No need to add a dependency to an external package for that :) This would definitely reduce the attack surface for a supply chain attack.
minimalistic-crypto-utils
: https://github.com/indutny/minimalistic-crypto-utils/blob/master/lib/utils.jsminimalistic-assert
: https://github.com/calvinmetcalf/minimalistic-assert/blob/master/index.jsI was wondering how long it was going to take for someone to notice brorand. I might code that change up and submit a pull request.
https://github.com/indutny/elliptic/blob/43ac7f230069bd1575e1e4a58394a512303ba803/package.json#L47-L55
I suggest to switch to developed and audited projects:
bn.js
can be dropped, in favor of native bigints, which have been supported everywhere for a long timebrorand
can be dropped in favor of a simple 5-lines-of-code filehash.js
can be replaced by @noble/hashes, which has been independently audited, and supports tree shakinghmac-drbg
andsecp256k1
implementation can be replaced by @noble/secp256k1, which has been independently audited, uses native bigints, and is getting more and more popular. There is also an optional compatibility layer with old apiinherits
does not seem that useful at this point, since the intro of es6 classesminimalistic-assert
,minimalistic-crypto-utils
can be kept, I suggest to set their versions to a fixed value instead of range