Skip to content

chore(deps): bump elliptic to ^6.6.0 #12979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 11, 2025
Merged

chore(deps): bump elliptic to ^6.6.0 #12979

merged 6 commits into from
Feb 11, 2025

Conversation

@mikesposito
Copy link
Member

@mikesposito mikesposito commented Jan 14, 2025
edited
Loading

Description

This PR bumps elliptic in the dependency tree to mitigate the following security advisories:

The closer version that mitigates all the above advisories is 6.6.0.

Currently on main, these are the versions we have for elliptic:

> yarn why elliptic
=> Found "elliptic@6.6.0"
info Has been hoisted to "elliptic"
info Reasons this module exists
   - Hoisted from "@walletconnect#utils#elliptic"
   - Hoisted from "@metamask#ppom-validator#elliptic"
   - Hoisted from "secp256k1#elliptic"
   - Hoisted from "ethereumjs-abi#ethereumjs-util#elliptic"
   - Hoisted from "react-native-crypto#create-ecdh#elliptic"
   - Hoisted from "react-native-crypto#browserify-sign#elliptic"
   - Hoisted from "ethereumjs-util#secp256k1#elliptic"
info Disk size without dependencies: "288KB"
info Disk size with unique dependencies: "656KB"
info Disk size with transitive dependencies: "656KB"
info Number of shared dependencies: 7
=> Found "@ethersproject/signing-key#elliptic@6.5.4"
info This module exists because "ethers#@ethersproject#signing-key" depends on it.
info Disk size without dependencies: "288KB"
info Disk size with unique dependencies: "656KB"
info Disk size with transitive dependencies: "656KB"
info Number of shared dependencies: 7
=> Found "@reown/walletkit#elliptic@6.5.7"
info Reasons this module exists
   - "@walletconnect#se-sdk#@reown#walletkit#@walletconnect#utils" depends on it
   - Hoisted from "@walletconnect#se-sdk#@reown#walletkit#@walletconnect#utils#elliptic"
info Disk size without dependencies: "172KB"
info Disk size with unique dependencies: "540KB"
info Disk size with transitive dependencies: "540KB"
info Number of shared dependencies: 7
=> Found "@walletconnect/sign-client#elliptic@6.5.7"
info Reasons this module exists
   - "@walletconnect#se-sdk#@reown#walletkit#@walletconnect#sign-client#@walletconnect#utils" depends on it
   - Hoisted from "@walletconnect#se-sdk#@reown#walletkit#@walletconnect#sign-client#@walletconnect#utils#elliptic"
info Disk size without dependencies: "172KB"
info Disk size with unique dependencies: "540KB"
info Disk size with transitive dependencies: "540KB"
info Number of shared dependencies: 7

The added resolution forces the package on ^6.6.0 which currently resolves to 6.6.1

Related issues

Related: MetaMask/core#4847

Manual testing steps

  1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@mikesposito mikesposito requested a review from a team January 14, 2025 13:40
@mikesposito mikesposito requested a review from a team as a code owner January 14, 2025 13:40
@mikesposito mikesposito requested a review from a team January 14, 2025 13:41
@github-actions
Copy link
Contributor

github-actions bot commented Jan 14, 2025
edited by metamaskbot
Loading

https://bitrise.io/ Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: d7018c0
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/efb9ce5e-aa7d-48f4-93ce-27a3d5486b35

Note

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

@mikesposito mikesposito mentioned this pull request Jan 14, 2025
Open
Gudahtt
Gudahtt reviewed Jan 23, 2025
View reviewed changes
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.91%. Comparing base (bcec04e) to head (6ace323).
Report is 8 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #12979      +/-   ##
==========================================
+ Coverage   60.89%   60.91%   +0.01%     
==========================================
  Files        1917     1920       +3     
  Lines       42708    42742      +34     
  Branches     5788     5795       +7     
==========================================
+ Hits        26007    26035      +28     
- Misses      14937    14943       +6     
  Partials     1764     1764

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2025
edited by metamaskbot
Loading

https://bitrise.io/ Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 6ace323
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/7d243b5c-6b57-4b33-813f-faebc25ff212

Note

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

Gudahtt
Gudahtt approved these changes Feb 3, 2025
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mikesposito mikesposito added this pull request to the merge queue Feb 11, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 11, 2025
@mikesposito mikesposito added this pull request to the merge queue Feb 11, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 11, 2025
@Gudahtt
Copy link
Member

Gudahtt commented Feb 11, 2025

The audit job seems to be passing on main 🤔 https://github.com/MetaMask/metamask-mobile/actions/runs/13263211884/job/37038532738

@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Gudahtt Gudahtt added this pull request to the merge queue Feb 11, 2025
@Gudahtt
Copy link
Member

Gudahtt commented Feb 11, 2025

The merge queue failure seems to be an install script error tied to the sharp package, not obviously related to this PR. I recall that error being discussed before, not sure why it's happening here but it seems safe to proceed.

Merged via the queue into main with commit e00b97f Feb 11, 2025
39 checks passed
@Gudahtt Gudahtt deleted the mikesposito/deps/elliptic branch February 11, 2025 17:10
@github-actions github-actions bot locked and limited conversation to collaborators Feb 11, 2025
@metamaskbot metamaskbot added the release-7.41.0 Issue or pull request that will be included in release 7.41.0 label Feb 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

@tommasini tommasini tommasini approved these changes

Assignees

No one assigned

Labels

release-7.41.0 Issue or pull request that will be included in release 7.41.0 team-wallet-framework

Projects

PR review queue
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mikesposito @codecov-commenter @Gudahtt @tommasini @metamaskbot