search

paulmillr / noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.
https://paulmillr.com/noble
MIT License
623 stars 56 forks source link

Package version in dependent modules #63

Closed mahnunchik closed 1 year ago

mahnunchik commented 1 year ago

Modules dependent on @noble/curves uses ~ as version matcher. It produces many version of @noble/curves in dependencies tree:

├── @noble/curves@1.1.0
├─┬ @scure/bip32@1.3.0
│ └── @noble/curves@1.0.0
└─┬ @scure/btc-signer@1.0.1
  └── @noble/curves@1.0.0

https://github.com/paulmillr/scure-btc-signer/blob/e9fdfbc1fe8ce43efa384e1f433f72c21ce25562/package.json#L17-L20

I think that ^ can be used for own modules to reduce total bundle size.

Issue is also related to @noble/hashes and @scure/base

paulmillr commented 1 year ago

That was done on purpose. My aim is to have much higher supply chain security than most other packages on NPM. This means that if you depend on bip32@1.3, if my NPM account is hacked, you won't be affected by it.

So, this won't be changed.

This also forces to make releases less often. I don't want to release 1.3.0 and then 1.4.0 a few weeks later: there needs to be some time, because updating all dependents is tedious.

mahnunchik commented 1 year ago

@paulmillr if your account is hacked then modified patch version can be published. It will be matched by ~ and ^.

So the solution doesn't resolve security issue but increases bundle size (there are 3 versions of @noble/curves in my project).

Alternative solution: update dependencies of @scure/bip32, ed25519-keygen, micro-*-signer more often.

paulmillr commented 1 year ago

Alternative solution: update dependencies of @scure/bip32, ed25519-keygen, micro-*-signer more often.

yeah that sounds better

GitHub still doesn't allow me to update ed25519-keygen though

mahnunchik commented 1 year ago

I'm looking forward to have deps updated and new ed25519-keygen published.