This repository was archived by the owner on May 26, 2023. It is now read-only.
This repository was archived by the owner on May 26, 2023. It is now read-only.
Improve supply chain security by switching to better dependencies #462
Description
Those deps from crypto package:
"@types/elliptic": "^6.4.13",
"elliptic": "^6.5.0",
"hash.js": "^1.1.5",
"hmac-drbg": "^1.0.1",
"pbkdf2": "^3.0.16",
"scrypt-js": "^3.0.1",
"scryptsy": "^2.1.0",
"sodium-randbytes": "0.14.0",
and their sub-dependencies (10+?) can be replaced by @noble/secp256k1, @noble/hashes — just two packages. This is what ethereum, solana, etc - did.
Every package is potential security vulnerability, because maintainers could get hacked and their packages could be replaced with malware. Elliptic also had 2 CVEs, which is pretty bad.
schnorr.ts can be replaced by built-in schnorr from @noble/secp256k1.