Skip to content

Update elliptic for Improper Verification of Cryptographic Signature.#94

Draft
ahmedtausif wants to merge 1 commit into
browserify:mainfrom
ahmedtausif:main
Draft

Update elliptic for Improper Verification of Cryptographic Signature.#94
ahmedtausif wants to merge 1 commit into
browserify:mainfrom
ahmedtausif:main

Conversation

@ahmedtausif

@ahmedtausif ahmedtausif commented Nov 19, 2024

Copy link
Copy Markdown

Update elliptic for Improper Verification of Cryptographic Signature (https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303)

ljharb
ljharb requested changes Nov 19, 2024
View reviewed changes

@ljharb ljharb left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6.6.1 is already in-range for ^6.5.5, so nothing needs to be done except you updating your own lockfiles.

Comment thread package.json
{
"name": "browserify-sign",
"version": "4.2.3",
"version": "4.2.4",

@ljharb ljharb Nov 19, 2024
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

versions should never be updated in PRs, please revert this

This was referenced Nov 27, 2024
Closed
Closed
@Fraraven

Fraraven commented Mar 12, 2025

Copy link
Copy Markdown

Will this be released soon?

@ljharb

ljharb commented Mar 12, 2025

Copy link
Copy Markdown
Member

@Fraraven no, because there’s no need for it. Just update your lockfile.

@ljharb ljharb marked this pull request as draft March 12, 2025 15:29
@jtstrohl

jtstrohl commented Apr 2, 2025

Copy link
Copy Markdown

@ljharb -
The latest version (6.6.1) of the elliptic package is still marked as vulnerable by Snyk and an example has been provided by a community member that shows it is still vulnerable. Based on the discussion in the issue threads (#321 and #323) in the elliptic project, there doesn't seem to be much hope this will be fixed any time soon. Is it possible to replace browserify-sign's dependency on elliptic with a secure alternative such as noble-curves by paulmillr?

@ljharb

ljharb commented Apr 2, 2025

Copy link
Copy Markdown
Member

Unfortunately not, because noble-curves doesn't support the node versions we do, so it'd be a breaking change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljharb ljharb ljharb requested changes

+1 more reviewer

@BoomchainLabs BoomchainLabs BoomchainLabs approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ahmedtausif @Fraraven @ljharb @jtstrohl @BoomchainLabs