stellar
Security issue: insecure dep is used, upgrade to something better
You are using tweetnacl, which allows forged signatures.
I suggest to upgrade to noble-curves, which are modern, audited, support ESM+Common.js and a bunch of other stuff. The noble libraries are used all over Ethereum and Solana ecosystems already.
When you say it allows forged signatures, do you mean it can easily generate forged signatures, or it validates forged signatures? Could you link to a cve or some vulnerability report so i can review this? Thank you.
It seems to have to do with the verification of the signature using the ed25519 class provided by tweetnacl, referencing your issue in the parent repo was helpful https://github.com/dchest/tweetnacl-js/issues/253 I agree we should probably find a way to negate this.
https://github.com/paulmillr/noble-curves fixes this, it's very easy to switch
I hope you can understand why someone would hesitate to move a mission-critical security library that has been stable for years to someone promoting their own repository, whose code was audited prior to a 1.0 release.
Notably, this isn't a Stellar issue (the network itself uses libsodium), and tweetnacl.js is a fallback library here, but I'd still like to investigate whether https://github.com/dchest/tweetnacl-js/issues/253 can affect the ecosystem somehow and whether a fork would be a preferred solution to limit generating a new attack surface. The report is deeply appreciated!
someone promoting their own repository, whose code was audited prior to a 1.0 release
Yeah, I promote it, and because of the promotion it's been funded by ethereum foundation, optimism, used in many wallets, protonmail, and others.
I don't see any problem with promotion and proper competition. Do you?
Also not sure what this means
whose code was audited prior to a 1.0 release
I've released noble-ed25519 in june 2019, 4 years ago. Promoting a new player in the field was hard and time-consuming. The first audit of secp was executed in april 2021, 26 months ago.
