Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade secp256k1 to >= 4.0.4 to address CVE-2024-48930 #15

Open
mcmire opened this issue Oct 29, 2024 · 0 comments
Open

Upgrade secp256k1 to >= 4.0.4 to address CVE-2024-48930 #15

mcmire opened this issue Oct 29, 2024 · 0 comments
Labels
team-wallet-framework

Comments

@mcmire
Copy link

mcmire commented Oct 29, 2024

secp256k1 is not a direct dependency of this project; it shows up in the dependency tree via ganache-cli. ganache-cli, and thus secp256k1, are development-only dependencies (they are used only for tests).

ganache-cli has been replaced by ganache. Unfortunately because development of ganache has ended, we cannot upgrade it to a version that uses a higher version of secp256k1. We may have to come up with another way of upgrade secp256k1.

Acceptance Criteria

  • package-lock.json should contain no references to secp256k1 < 4.0.4.

References

See security advisory: https://github.com/MetaMask/ethjs-filter/security/dependabot/21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
team-wallet-framework
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcmire @desi