Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove all dependencies, improve security #289

Open
paulmillr opened this issue Jul 22, 2022 · 2 comments
Open

Remove all dependencies, improve security #289

paulmillr opened this issue Jul 22, 2022 · 2 comments

Comments

@paulmillr
Copy link

elliptic/package.json

Lines 47 to 55 in 43ac7f2

"dependencies": {
"bn.js": "^4.11.9",
"brorand": "^1.1.0",
"hash.js": "^1.0.0",
"hmac-drbg": "^1.0.1",
"inherits": "^2.0.4",
"minimalistic-assert": "^1.0.1",
"minimalistic-crypto-utils": "^1.0.1"
}

I suggest to switch to developed and audited projects:

  • bn.js can be dropped, in favor of native bigints, which have been supported everywhere for a long time
  • brorand can be dropped in favor of a simple 5-lines-of-code file
  • hash.js can be replaced by @noble/hashes, which has been independently audited, and supports tree shaking
  • hmac-drbg and secp256k1 implementation can be replaced by @noble/secp256k1, which has been independently audited, uses native bigints, and is getting more and more popular. There is also an optional compatibility layer with old api
  • inherits does not seem that useful at this point, since the intro of es6 classes
  • minimalistic-assert, minimalistic-crypto-utils can be kept, I suggest to set their versions to a fixed value instead of range
  1. This solution is much faster than current elliptic impl.
  2. Elliptic is 130KB of minified code right now, which is huge. It can be tiny, a fraction of that.
@thibauld
Copy link

thibauld commented Aug 3, 2022

I fully second what @paulmillr just suggested.

Except that I would also suggest to remove minimalistic-assert and minimalistic-crypto-utils from the dependencies too.
Those packages are respectively 10 and 58 lines of code who haven't been updated for 4 and 6 years, just copy them in code's project. No need to add a dependency to an external package for that :) This would definitely reduce the attack surface for a supply chain attack.

@mbrunt
Copy link

mbrunt commented Apr 4, 2023

I was wondering how long it was going to take for someone to notice brorand.
I might code that change up and submit a pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thibauld @paulmillr @mbrunt