$ npm install bitcoin-core --save
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 69 packages, and audited 129 packages in 7s
3 packages are looking for funding
run `npm fund` for details
2 high severity vulnerabilities
To address all issues, run:
npm audit fix
Run `npm audit` for details.
$ npm audit
# npm audit report
json-bigint <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - https://github.com/advisories/GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install bitcoin-core@1.2.0, which is a breaking change
node_modules/json-bigint
bitcoin-core >=2.0.0
Depends on vulnerable versions of json-bigint
node_modules/bitcoin-core
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
From what I can understand from the GitHub advisory, the bitcoin-core library should be updated to use json-bigint 1.0.0 or later (if still required). Otherwise a malicious Bitcoin node might cause a DoS on the nodejs client by injecting a particular property in the JSON output.
As reported by
npm install bitcoin-core --save
:From what I can understand from the GitHub advisory, the bitcoin-core library should be updated to use json-bigint 1.0.0 or later (if still required). Otherwise a malicious Bitcoin node might cause a DoS on the nodejs client by injecting a particular property in the JSON output.