Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade ethereumjs-wallet from 0.6.0 to 1.0.2 #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade ethereumjs-wallet from 0.6.0 to 1.0.2 #10

wants to merge 1 commit into from

Conversation

Manny27nyc
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade ethereumjs-wallet from 0.6.0 to 1.0.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 8 versions ahead of your current version.
  • The recommended version was released 2 years ago, on 2021-10-08.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Cryptographic Issues
SNYK-JS-ELLIPTIC-571484		 492/1000
Why? Proof of Concept exploit, CVSS 7.7		 Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899		 492/1000
Why? Proof of Concept exploit, CVSS 7.7		 No Known Exploit
Timing Attack
SNYK-JS-ELLIPTIC-511941		 492/1000
Why? Proof of Concept exploit, CVSS 7.7		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: ethereumjs-wallet
  • 1.0.2 - 2021-10-08
    • Updated dependencies to latest, added browser build, PR #157

    Included Source Files

    Source files from the src folder are now included in the distribution build. This allows for a better debugging experience in debug tools like Chrome DevTools by having working source map references to the original sources available for inspection.

  • 1.0.1 - 2020-09-24
    • Fixed a browser issue in Wallet.fromV3() and Wallet.toV3() triggered when using web bundlers using Buffer v4 shim (Webpack 4),
      see PR #135
  • 1.0.0 - 2020-06-24

    This is the first TypeScript release on the library (thanks @ the-jackalope for the rewrite! ❤️), see PR #93 for the main PR here. The release comes with various breaking changes.

    Libray Import / API Documentation

    The way submodules are exposed has been changed along the TypeScript rewrite and you will likely have to update your imports. Here is an example for the hdkey submodule:

    Node.js / ES5:

    const { hdkey } = require('ethereumjs-wallet')

    ESM / TypeScript:

    import { hdkey } from 'ethereumjs-wallet'

    See README for examples on the other submodules.

    Together with the switch to TypeScript the previously static documentation has been automated to now being generated with TypeDoc to reflect all latest changes, see PR #98. See the new docs for an overview on the TypeScript based API.

    API Changes

    The API of the library hasn't been changed intentionally but has become more strict on type input by the explcit type definitions from the TypeScript code in function signatures together with the introduction of the ethereumjs-util v7 library within the Wallet library, which behaves more strict on type input on the various utility functions.

    This leads to cases where some input - while not having been the intended way to use the library - might have been worked before through implicit type conversion and is now not possible any more.

    One example for this is the Wallet.fromPublicKey() function, here is the old code of the function:

    Wallet.fromPublicKey = function(pub, nonStrict) {
  if (nonStrict) {
    pub = ethUtil.importPublic(pub)
  }
  return new Wallet(null, pub)
}

    and here the new TypeScript code:

    public static fromPublicKey(publicKey: Buffer, nonStrict: boolean = false): Wallet {
  if (nonStrict) {
    publicKey = importPublic(publicKey)
  }
  return new Wallet(undefined, publicKey)
}

    This function worked in the v0.6.x version also with passing in a string, since the ethereumjs-util v6 importPublic method converted the input implicitly to a Buffer, the v1.0.0 version now directly enforces the fromPublicKey input to be a Buffer first hand.

    There will likely be more cases like this in the code since the type input of the library hasn't been documented in the older version. So we recommend here to go through all your function signature usages and see if you uses the correct input types. While a bit annoying this is a one-time task you will never have to do again since you can now profit from the clear TypeScript input types being both documented and enforced by the TypeScript compiler.

    Pure JS Crypto Dependencies

    This library now uses pure JS crypto dependencies which doesn't bring in the need for native compilation on installation. For scrypt key derivation scrypt-js from @ ricmoo is used (see PR #125).

    For BIP-32 key derivation the new ethereum-cryptography library is used which is a new Ethereum Foundation backed and formally audited libray to provide pure JS cryptographic primitives within the Ethereum ecosystem (see PR #128).

    Removed ProviderEngine

    Support for Provider Engine has been removed for security reasons, since the package is not very actively maintained and superseded by json-rpc-engine.

    If you need the removed functionality, it should be relatively easily possible to do this integration by adopting the code from provider-engine.ts.

    See also: PR #117

    Other Changes

    Bug Fixes

    • Fixes a bug where salt, iv and/or uuid options - being supplied as strings to Wallet.toV3() - could lead to errors during encryption and/or output that could not be decrypted, PR #95

    Refactoring & Maintenance

    Development & CI

    • Integrated the ethereumjs-config EthereumJS developer configuration standards, PR #93 (TypeScript PR)
    • Added org links and Git hooks, PR #88
  • 0.6.5 - 2020-07-16
  • 0.6.4 - 2020-06-23

    This is the last release from the v0.6.x release series. It adds Node 12 compatibility while maintaining compatibilitydown to Node 6. To be able to do so the scrypt.js key derivation library is exchanged with scryptsy. While this solution is backwards-compatible the changed library only provides a pure JS implementation and no native bindings. If you need native performance pin your dependency to v0.6.3 or update to the v1.0.0 library version to be released shortly after this release.

    Change Summary:

    • v0.6.x back patch: added node v12 support, switched to scryptsy key derivation library (pure JS implementation), PR #114
    • Updated hdkey to v1.1.1, PR #87
    • Refactored decipherBuffer(), PR #82
    • Added more tests for Wallet.fromEthSale(), PR #80
  • 0.6.3 - 2018-12-20
    • Fixed installation errors for certain packaging tools, PR #67
    • Remove dependency on crypto.randomBytes and use randombytes package instead, PR #63
    • Add comprehensive test coverage for fromV3, PR #62
    • Remove excess parameter from decipherBuffer usage, PR #77
    • Update dependencies, including a fixed scrypt.js, which should resolve more installation issues, PR #78
  • 0.6.2 - 2018-08-08
    • [PLEASE UPDATE!] Fixes a critical import bug introduced in v0.6.1 accidentally
      changing the import path for the different submodules, see PR #65
  • 0.6.1 - 2018-07-28
    • Added support for vanity address generation, PR #5
    • Fixed typo in provider-engine, PR #16
    • Accept the true range of addresses for ICAP direct, PR #6
    • Switched to babel ES5 build, PR #37
    • Improve test coverage (at 88% now), PR #27
    • Various dependency updates, PR #25
  • 0.6.0 - 2016-04-27

    0.6.0

from ethereumjs-wallet GitHub release notes
Commit messages
Package name: ethereumjs-wallet
  • 2bc21b4 Update deps to latest, add browser build, fix readme es5 import, prepare release v1.0.2 (#157)
  • a04b5ca Corrected README example Wallet import to reference default parameter
  • eae95ab Corrected README example Wallet import to reference default parameter
  • 0d81c40 Merge pull request #139 from ethereumjs/new-release
  • 698e068 Bumped version to v1.0.1, added CHANGELOG entry
  • 744a79d Merge pull request #135 from torusresearch/master
  • 9b5f5fe Fix derviedKey Buffer in toV3
  • 5d21dda Fix issue with buffer concatenation while using scrypt
  • 0681d67 Merge pull request #134 from ethereumjs/discord-badge
  • 214d87f Replace gitter badge
  • f30e8b6 Merge pull request #129 from ethereumjs/new-release
  • 5c83398 Bumped version to v1.0.0, added CHANGELOG entry
  • cead4f9 Merge pull request #128 from Tenderly/removing-native-js-dependencies
  • c0edad3 Update HDKey require to import.
  • b6b4103 Removes semicolon.
  • 80ac8b2 Switching to hdkey from js-ethereum-cryptography.
  • 35df952 Merge pull request #127 from ethereumjs/update-hdkey-dependency
  • 5f504fd update to hdkey 2.0.1
  • 8fc5410 Updated hdkey dependency from v1.1.1 to v2.0.0 (updated secp256k1 dependency to v4)
  • 23c7106 Merge pull request #126 from ethereumjs/update-ethereumjs-util
  • 9228c81 Updated ethereumjs-util dependency to v7.0.2
  • 626e720 Merge pull request #125 from ethereumjs/use-scrypt-js
  • 110c3b5 remove freenode reference
  • 71d1c44 use `scrypt-js`

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Manny27nyc @snyk-bot