browserify-sign icon indicating copy to clipboard operation
browserify-sign copied to clipboard
verified publisher icon browserify

Update elliptic for Improper Verification of Cryptographic Signature.

Open ahmedtausif opened this issue 1 year ago • 4 comments

Update elliptic for Improper Verification of Cryptographic Signature (https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303)

ahmedtausif avatar Nov 19 '24 14:11 ahmedtausif

Will this be released soon?

Fraraven avatar Mar 12 '25 09:03 Fraraven

@Fraraven no, because there’s no need for it. Just update your lockfile.

ljharb avatar Mar 12 '25 15:03 ljharb

@ljharb - The latest version (6.6.1) of the elliptic package is still marked as vulnerable by Snyk and an example has been provided by a community member that shows it is still vulnerable. Based on the discussion in the issue threads (#321 and #323) in the elliptic project, there doesn't seem to be much hope this will be fixed any time soon. Is it possible to replace browserify-sign's dependency on elliptic with a secure alternative such as noble-curves by paulmillr?

jtstrohl avatar Apr 02 '25 21:04 jtstrohl

Unfortunately not, because noble-curves doesn't support the node versions we do, so it'd be a breaking change.

ljharb avatar Apr 02 '25 21:04 ljharb