question-mark

Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remove dangerous dependencies

See original GitHub issue

Issue Description

Current dep list is:

    "@ethersproject/bytes": "^5.6.1",
    "bn.js": "^5.2.1",
    "cross-fetch": "^3.1.5",
    "elliptic": "^6.5.4",
    "ethereum-cryptography": "^1.0.3",
    "hash.js": "^1.1.7",
    "json-bigint": "^1.0.0",
    "minimalistic-assert": "^1.0.1",
    "pako": "^2.0.4",
    "ts-custom-error": "^3.2.0",
    "url-join": "^4.0.1"

You’re depending on ethereum-cryptography, which contains audited versions of secp256k1, all sorts of hashes (sha2, sha3…); e-c also doesn’t use bn.js, instead, it uses native bigints.

So, I strongly suggest to remove bn.js, elliptic, hash.js — it would reduce your bundle size by a huge amount; and improve security drastically. Elliptic had 2 CVEs in 2020. Instead of them, you can simply use ethereum-cryptography stuff.

Issue Analytics

  • State:open
  • Created 6 months ago
  • Reactions:1
  • Comments:12

github_iconTop GitHub Comments

1reaction
tabaktonicommented, Sep 23, 2022

This Issue is Assigned to @katsumotoeth but there seems like no activity around it. Can we reassign it to @paulmillr true only dust?

1reaction
paulmillrcommented, Aug 2, 2022

Yes.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Automatically Eliminate Dependency Hell - ActiveState
Delete unused/unnecessary dependencies to trim your dependency tree. Ensure your remaining dependencies are correct: Dependencies that need to ...
Read more >
Removing Effect Dependencies - React Docs
Unnecessary dependencies may cause your Effect to run too often, or even create an infinite loop. Follow this guide to review and remove...
Read more >
How to eliminate (or deal with) hidden dependencies
It's easy to unintentionally remove the module depended upon without removing the dependency. For instance, take the case of my package above.
Read more >
Delete Dependencies Action - OutSystems
Hi Community I can delete dependency logic objects. Is this a little dangerous, shouldn't they be protected? is this by design as I...
Read more >
The Intersection of Welfare Reform and Domestic Violence
The authors frame this discussion of dangerous dependencies with the ... because she was afraid that they would remove her custody of her...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found