bitcore icon indicating copy to clipboard operation
bitcore copied to clipboard

Published 20 hours ago verified publisher icon bitpay

Security issue: insecure cryptography and dependencies

Open paulmillr opened this issue 1 year ago • 1 comments

https://github.com/bitpay/bitcore/blob/f778e62c3bcaa6799f8be0bd870d7e3910d7e16f/packages/bitcore-lib/package.json#L43

has been long unmaintained; and had a few CVEs. I suggest doing following actions:

  • replace elliptic with audited @noble/curves
  • replace scryptsy with audited @noble/hashes
  • upgrade ethers to v6, which stopped using elliptic
  • remove bn.js, replace with native bigint

paulmillr avatar Dec 15 '23 16:12 paulmillr

Thanks for the suggestions and concern. We're actively looking into and addressing this

kajoseph avatar Dec 17 '23 19:12 kajoseph