Skip to content

Update elliptic for Improper Verification of Cryptographic Signature. #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Update elliptic for Improper Verification of Cryptographic Signature. #94

wants to merge 1 commit into from

Conversation

ahmedtausif
Copy link

Update elliptic for Improper Verification of Cryptographic Signature (https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303)

ljharb
ljharb requested changes Nov 19, 2024
View reviewed changes
Copy link
Member

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6.6.1 is already in-range for ^6.5.5, so nothing needs to be done except you updating your own lockfiles.

package.json
@@ -1,6 +1,6 @@
{
"name": "browserify-sign",
"version": "4.2.3",
"version": "4.2.4",
Copy link
Member

@ljharb ljharb Nov 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

versions should never be updated in PRs, please revert this

This was referenced Nov 27, 2024
Closed
Closed
@Fraraven
Copy link

Will this be released soon?

@ljharb
Copy link
Member

ljharb commented Mar 12, 2025

@Fraraven no, because there’s no need for it. Just update your lockfile.

@ljharb ljharb marked this pull request as draft March 12, 2025 15:29
@jtstrohl
Copy link

jtstrohl commented Apr 2, 2025

@ljharb -
The latest version (6.6.1) of the elliptic package is still marked as vulnerable by Snyk and an example has been provided by a community member that shows it is still vulnerable. Based on the discussion in the issue threads (#321 and #323) in the elliptic project, there doesn't seem to be much hope this will be fixed any time soon. Is it possible to replace browserify-sign's dependency on elliptic with a secure alternative such as noble-curves by paulmillr?

@ljharb
Copy link
Member

ljharb commented Apr 2, 2025

Unfortunately not, because noble-curves doesn't support the node versions we do, so it'd be a breaking change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb ljharb requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ahmedtausif @Fraraven @ljharb @jtstrohl