Bitmessage/bitmessage-js
2
0
Fork 1
Code Issues 1 Pull Requests 1 Actions Packages Releases Activity

Maybe stop using a dangerous and abandoned package bignum? #3

New Issue
Open
opened 2024-03-09 16:27:18 +01:00 by lee.miller · 0 comments
lee.miller commented 2024-03-09 16:27:18 +01:00
Contributor
Copy Link

Hi!

I'm taking this nontrivial issue from #1. npm audit fix warns about a vulnerability:


bignum  *
Severity: high
Uncaught Exception in bignum - https://github.com/advisories/GHSA-6429-3g3w-6mw5
No fix available
node_modules/bignum

1 high severity vulnerability

Some issues need review, and may require choosing
a different dependency.

Here bignum is used in the node part, and bn.js is for browser. eccrypto doesn't depend on any of them directly, but bn.js is one of it's final dependencies:

root@c98080e218e6:/app# grep bignum package*
root@c98080e218e6:/app# grep bn.js package*
package-lock.json:        "bn.js": "^4.0.0",
package-lock.json:    "node_modules/bn.js": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.9.tgz",
package-lock.json:        "bn.js": "^5.0.0",
package-lock.json:    "node_modules/browserify-rsa/node_modules/bn.js": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.0.tgz",
package-lock.json:        "bn.js": "^5.2.1",
package-lock.json:    "node_modules/browserify-sign/node_modules/bn.js": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.1.tgz",
package-lock.json:        "bn.js": "^4.11.9",
package-lock.json:    "node_modules/browserify-sign/node_modules/elliptic/node_modules/bn.js": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
package-lock.json:        "bn.js": "^4.1.0",
package-lock.json:        "bn.js": "^4.1.0",
package-lock.json:        "bn.js": "^4.11.9",
package-lock.json:        "bn.js": "^4.0.0",
package-lock.json:        "bn.js": "^4.1.0",
package-lock.json:        "bn.js": "^4.11.8",
package-lock.json:        "bn.js": "^4.0.0",
package-lock.json:    "bn.js": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.9.tgz",
package-lock.json:        "bn.js": "^5.0.0",
package-lock.json:        "bn.js": {
package-lock.json:          "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.0.tgz",
package-lock.json:        "bn.js": "^5.2.1",
package-lock.json:        "bn.js": {
package-lock.json:          "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.1.tgz",
package-lock.json:            "bn.js": "^4.11.9",
package-lock.json:            "bn.js": {
package-lock.json:              "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
package-lock.json:        "bn.js": "^4.1.0",
package-lock.json:        "bn.js": "^4.1.0",
package-lock.json:        "bn.js": "^4.11.9",
package-lock.json:        "bn.js": "^4.0.0",
package-lock.json:        "bn.js": "^4.1.0",
package-lock.json:        "bn.js": "^4.11.8",

The bn.js has no found vulnerabilities and is more recent:

root@c98080e218e6:/app# npm audit fix

up to date, audited 397 packages in 2s

49 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

So I was going to replace usage of the bignum by the bn.js and see what happen to the tests and sample code. The bignum page though suggests switching to BigInt instead.

Hi! I'm taking this nontrivial issue from #1. `npm audit fix` warns about a vulnerability: ``` bignum * Severity: high Uncaught Exception in bignum - https://github.com/advisories/GHSA-6429-3g3w-6mw5 No fix available node_modules/bignum 1 high severity vulnerability Some issues need review, and may require choosing a different dependency. ``` Here `bignum` is used in the node part, and `bn.js` is for browser. `eccrypto` doesn't depend on any of them directly, but `bn.js` is one of it's final dependencies: ``` root@c98080e218e6:/app# grep bignum package* root@c98080e218e6:/app# grep bn.js package* package-lock.json: "bn.js": "^4.0.0", package-lock.json: "node_modules/bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.9.tgz", package-lock.json: "bn.js": "^5.0.0", package-lock.json: "node_modules/browserify-rsa/node_modules/bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.0.tgz", package-lock.json: "bn.js": "^5.2.1", package-lock.json: "node_modules/browserify-sign/node_modules/bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.1.tgz", package-lock.json: "bn.js": "^4.11.9", package-lock.json: "node_modules/browserify-sign/node_modules/elliptic/node_modules/bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz", package-lock.json: "bn.js": "^4.1.0", package-lock.json: "bn.js": "^4.1.0", package-lock.json: "bn.js": "^4.11.9", package-lock.json: "bn.js": "^4.0.0", package-lock.json: "bn.js": "^4.1.0", package-lock.json: "bn.js": "^4.11.8", package-lock.json: "bn.js": "^4.0.0", package-lock.json: "bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.9.tgz", package-lock.json: "bn.js": "^5.0.0", package-lock.json: "bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.0.tgz", package-lock.json: "bn.js": "^5.2.1", package-lock.json: "bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-5.2.1.tgz", package-lock.json: "bn.js": "^4.11.9", package-lock.json: "bn.js": { package-lock.json: "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz", package-lock.json: "bn.js": "^4.1.0", package-lock.json: "bn.js": "^4.1.0", package-lock.json: "bn.js": "^4.11.9", package-lock.json: "bn.js": "^4.0.0", package-lock.json: "bn.js": "^4.1.0", package-lock.json: "bn.js": "^4.11.8", ``` The `bn.js` has no found vulnerabilities and is [more recent](https://www.npmjs.com/package/bn.js): ``` root@c98080e218e6:/app# npm audit fix up to date, audited 397 packages in 2s 49 packages are looking for funding run `npm fund` for details found 0 vulnerabilities ``` So I was going to replace usage of the `bignum` by the `bn.js` and see what happen to the tests and sample code. The [bignum page](https://www.npmjs.com/package/bignum) though suggests switching to `BigInt` instead.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Bitmessage/bitmessage-js#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?