frame icon indicating copy to clipboard operation
frame copied to clipboard

Published 20 hours ago verified publisher icon floating

Security issue: hdkey package

Open paulmillr opened this issue 1 year ago • 3 comments

It's pretty old and uncool. Uses a lot of sub-deps. Unaudited subdeps which could be updated by different authors is a supply chain security issue.

The suggestion is to switch to https://github.com/paulmillr/scure-bip32 which is being used by ethereum-cryptography in your dep tree. Scure has been audited, paid for by EF.

bip39 could also be replaced with scure-bip39.

paulmillr avatar May 10 '23 23:05 paulmillr

duplicate of #1526

ckLee8 avatar May 11 '23 00:05 ckLee8

not really a duplicate, more an extension: hdkey != bip39

paulmillr avatar May 11 '23 01:05 paulmillr

I feel like the priority of this should be bumped

ai-slave avatar May 23 '23 12:05 ai-slave