ci: update audit-ci.jsonc (#218)

OffchainLabs · Oct 24, 2024 · 0522b1c · 0522b1c
1 parent db18a1c
commit 0522b1c
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -76,10 +76,21 @@
     // vite is not used in production
     // from: vitest > vite
     "GHSA-9cwx-2883-4wfx",
+    // https://github.com/advisories/GHSA-584q-6j8j-r5pm
+    // secp256k1-node allows private key extraction over ECDH
+    // We're using eliptic 5.0.7 which doesn't contain the issue
+    // https://github.com/cryptocoinjs/secp256k1-node/commit/dc37f41f2abfe87853b54bcd7d1b556db41b0c64#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R35
+    // from: @arbitrum/token-bridge-contracts > @openzeppelin/upgrades-core > ethereumjs-util > ethereum-cryptography
+    "GHSA-584q-6j8j-r5pm",
+    // https://github.com/advisories/GHSA-fc9h-whq2-v747
+    // Valid ECDSA signatures erroneously rejected in Elliptic
+    // from: @arbitrum/token-bridge-contracts > @openzeppelin/upgrades-core > ethereumjs-util > ethereum-cryptography > secp256k1
+    // from: ethers > @ethersproject/signing-key
+    "GHSA-fc9h-whq2-v747",
     // https://github.com/advisories/GHSA-gcx4-mw62-g8wm
     // DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
-    // vite is not used in production
-    // from: vitest > vite
+    // rollup is not used in production
+    // from vite > rollup
     "GHSA-gcx4-mw62-g8wm"
   ]
 }