Skip to content

Update elliptic for Improper Verification of Cryptographic Signature.#94

Draft
ahmedtausif wants to merge 1 commit intobrowserify:mainfrom
ahmedtausif:main
Draft

Update elliptic for Improper Verification of Cryptographic Signature.#94
ahmedtausif wants to merge 1 commit intobrowserify:mainfrom
ahmedtausif:main

Conversation

@ahmedtausif
Copy link

@ahmedtausif ahmedtausif commented Nov 19, 2024

Update elliptic for Improper Verification of Cryptographic Signature (https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303)

ljharb
ljharb requested changes Nov 19, 2024
View reviewed changes
Copy link
Member

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6.6.1 is already in-range for ^6.5.5, so nothing needs to be done except you updating your own lockfiles.

package.json
{
"name": "browserify-sign",
"version": "4.2.3",
"version": "4.2.4",
Copy link
Member

@ljharb ljharb Nov 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

versions should never be updated in PRs, please revert this

This was referenced Nov 27, 2024
Closed
Closed
@Fraraven
Copy link

Fraraven commented Mar 12, 2025

Will this be released soon?

@ljharb
Copy link
Member

ljharb commented Mar 12, 2025

@Fraraven no, because there’s no need for it. Just update your lockfile.

@ljharb ljharb marked this pull request as draft March 12, 2025 15:29
@jtstrohl
Copy link

jtstrohl commented Apr 2, 2025

@ljharb -
The latest version (6.6.1) of the elliptic package is still marked as vulnerable by Snyk and an example has been provided by a community member that shows it is still vulnerable. Based on the discussion in the issue threads (#321 and #323) in the elliptic project, there doesn't seem to be much hope this will be fixed any time soon. Is it possible to replace browserify-sign's dependency on elliptic with a secure alternative such as noble-curves by paulmillr?

@ljharb
Copy link
Member

ljharb commented Apr 2, 2025

Unfortunately not, because noble-curves doesn't support the node versions we do, so it'd be a breaking change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljharb ljharb ljharb requested changes

+1 more reviewer

@BoomchainLabs BoomchainLabs BoomchainLabs approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ahmedtausif @Fraraven @ljharb @jtstrohl @BoomchainLabs

Comments