elliptic version 6.5.3 has a vulnerability

[samtjo]

trafficstars

Running an npm audit will show that [email protected] has a moderate vulnerability - Use of a Broken or Risky Cryptographic Algorithm

Upgrading elliptic to version 6.5.4 will resolve the vulnerability

[elgreg]

Better yet, upgrade to 6.5.7 - there are 3 known CVEs in 6.5.6 as well.

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.