Closed mahnunchik closed 1 year ago
That was done on purpose. My aim is to have much higher supply chain security than most other packages on NPM. This means that if you depend on bip32@1.3, if my NPM account is hacked, you won't be affected by it.
So, this won't be changed.
This also forces to make releases less often. I don't want to release 1.3.0 and then 1.4.0 a few weeks later: there needs to be some time, because updating all dependents is tedious.
@paulmillr if your account is hacked then modified patch version can be published. It will be matched by ~
and ^
.
So the solution doesn't resolve security issue but increases bundle size (there are 3 versions of @noble/curves
in my project).
Alternative solution: update dependencies of @scure/bip32
, ed25519-keygen
, micro-*-signer
more often.
Alternative solution: update dependencies of @scure/bip32, ed25519-keygen, micro-*-signer more often.
yeah that sounds better
GitHub still doesn't allow me to update ed25519-keygen though
I'm looking forward to have deps updated and new ed25519-keygen
published.
Modules dependent on
@noble/curves
uses~
as version matcher. It produces many version of@noble/curves
in dependencies tree:https://github.com/paulmillr/scure-btc-signer/blob/e9fdfbc1fe8ce43efa384e1f433f72c21ce25562/package.json#L17-L20
I think that
^
can be used for own modules to reduce total bundle size.Issue is also related to
@noble/hashes
and@scure/base