Open ruseinov opened 4 months ago
I am applying to this issue via OnlyDust platform.
I am a process engineer and I have a high problem-solving capacity. I am currently co-founder and developer of my own startup.
My work can be divided into 3 stages:
This is my first ODack I hope to contribute a lot, I am available to start immediately
@MPSxDev Go for it!
This is the research work carried out, first checking that the repositories are maintained and active, and then verifying the existence of documentation in docs.rs. Below I leave the points found in the audit.toml file
Atty: This is no longer maintained 2 years ago an alternative:
Wee_alloc: This has not been maintained for 3 years, a solution may be to implement
curve25519-dalek: Because it has vulnerabilities I found this alternative:
I look forward to your comments and any other requests that may be required.
We had a prior discussion about wee_alloc and decided to keep it: https://github.com/near/near-sdk-rs/pull/1151
atty, curve25519-dalek - they are not direct dependencies, right? Can we update any of direct dependencies to fix it?
@MPSxDev near-sdk-rs does not directly depend on atty. Please, inspect the dependencies tree to identify which crates we need to update in order to upgrade/eliminate atty and curve25519-dalek. Once identified, we could make a decision whether we can contribute the fix to those dependencies as there is nothing near-sdk-rs can do about it directly.
After a thorough investigation of the packages that include the involved dependencies.
These include the atty dependency:
These include ed25519-dalek ( include curve25519-dalek):
Below are the affected packages used, including the current version and whether they continue to use these affected dependencies.
In summary, the following steps should be taken:
@MPSxDev Great summary! We definitely can act on the first two steps immediately. slip10 has been replaced with slipped10, and that should have been subsequently updated in the recent near-cli-rs and cargo-near releases. Can you give it a try upgrading the dependencies and authoring the atty PR to cargo-near as part of this issue?
@frol Thank you very much. Yes, I can try to update this. If I have any questions, I will let you know.
This issue should be closed, I have already done the audit on the latest version and there is no presence of atty and the versions of other dependencies are already updated to versions without the vulnerability. @frol
And revisit other ignores.
https://github.com/near/near-sdk-rs/blob/master/.cargo/audit.toml