Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade ethereumjs-wallet from 0.6.5 to 1.0.2 #7

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade ethereumjs-wallet from 0.6.5 to 1.0.2 #7

wants to merge 1 commit into from

Conversation

Boomtokn
Copy link

snyk-top-banner

Snyk has created this PR to upgrade ethereumjs-wallet from 0.6.5 to 1.0.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 3 versions ahead of your current version.

  • The recommended version was released 3 years ago.

Release notes
Package name: ethereumjs-wallet
  • 1.0.2 - 2021-10-08
    • Updated dependencies to latest, added browser build, PR #157

    Included Source Files

    Source files from the src folder are now included in the distribution build. This allows for a better debugging experience in debug tools like Chrome DevTools by having working source map references to the original sources available for inspection.

  • 1.0.1 - 2020-09-24
    • Fixed a browser issue in Wallet.fromV3() and Wallet.toV3() triggered when using web bundlers using Buffer v4 shim (Webpack 4),
      see PR #135
  • 1.0.0 - 2020-06-24

    This is the first TypeScript release on the library (thanks @ the-jackalope for the rewrite! ❤️), see PR #93 for the main PR here. The release comes with various breaking changes.

    Libray Import / API Documentation

    The way submodules are exposed has been changed along the TypeScript rewrite and you will likely have to update your imports. Here is an example for the hdkey submodule:

    Node.js / ES5:

    const { hdkey } = require('ethereumjs-wallet')

    ESM / TypeScript:

    import { hdkey } from 'ethereumjs-wallet'

    See README for examples on the other submodules.

    Together with the switch to TypeScript the previously static documentation has been automated to now being generated with TypeDoc to reflect all latest changes, see PR #98. See the new docs for an overview on the TypeScript based API.

    API Changes

    The API of the library hasn't been changed intentionally but has become more strict on type input by the explcit type definitions from the TypeScript code in function signatures together with the introduction of the ethereumjs-util v7 library within the Wallet library, which behaves more strict on type input on the various utility functions.

    This leads to cases where some input - while not having been the intended way to use the library - might have been worked before through implicit type conversion and is now not possible any more.

    One example for this is the Wallet.fromPublicKey() function, here is the old code of the function:

    Wallet.fromPublicKey = function(pub, nonStrict) {
  if (nonStrict) {
    pub = ethUtil.importPublic(pub)
  }
  return new Wallet(null, pub)
}

    and here the new TypeScript code:

    public static fromPublicKey(publicKey: Buffer, nonStrict: boolean = false): Wallet {
  if (nonStrict) {
    publicKey = importPublic(publicKey)
  }
  return new Wallet(undefined, publicKey)
}

    This function worked in the v0.6.x version also with passing in a string, since the ethereumjs-util v6 importPublic method converted the input implicitly to a Buffer, the v1.0.0 version now directly enforces the fromPublicKey input to be a Buffer first hand.

    There will likely be more cases like this in the code since the type input of the library hasn't been documented in the older version. So we recommend here to go through all your function signature usages and see if you uses the correct input types. While a bit annoying this is a one-time task you will never have to do again since you can now profit from the clear TypeScript input types being both documented and enforced by the TypeScript compiler.

    Pure JS Crypto Dependencies

    This library now uses pure JS crypto dependencies which doesn't bring in the need for native compilation on installation. For scrypt key derivation scrypt-js from @ ricmoo is used (see PR #125).

    For BIP-32 key derivation the new ethereum-cryptography library is used which is a new Ethereum Foundation backed and formally audited libray to provide pure JS cryptographic primitives within the Ethereum ecosystem (see PR #128).

    Removed ProviderEngine

    Support for Provider Engine has been removed for security reasons, since the package is not very actively maintained and superseded by json-rpc-engine.

    If you need the removed functionality, it should be relatively easily possible to do this integration by adopting the code from provider-engine.ts.

    See also: PR #117

    Other Changes

    Bug Fixes

    • Fixes a bug where salt, iv and/or uuid options - being supplied as strings to Wallet.toV3() - could lead to errors during encryption and/or output that could not be decrypted, PR #95

    Refactoring & Maintenance

    Development & CI

    • Integrated the ethereumjs-config EthereumJS developer configuration standards, PR #93 (TypeScript PR)
    • Added org links and Git hooks, PR #88
  • 0.6.5 - 2020-07-16
from ethereumjs-wallet GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
feat: upgrade ethereumjs-wallet from 0.6.5 to 1.0.2
2e63f7b 
Snyk has created this PR to upgrade ethereumjs-wallet from 0.6.5 to 1.0.2.

See this package in npm:
ethereumjs-wallet

See this project in Snyk:
https://app.snyk.io/org/boomtokn/project/801774dc-2ee3-4933-b791-827a2684e154?utm_source=github&utm_medium=referral&page=upgrade-pr
@Boomtokn
Copy link
Author

Boomtokn commented Feb 25, 2025
edited
Loading

Snyk checks have failed. 5 issues have been found so far.

Icon Severity Issues
Critical 2
High 3
Medium 0
Low 0

security/snyk check is complete. 5 issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

@socket-security Socket Security
Copy link

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/ethereumjs-wallet@1.0.2 Transitive: environment, filesystem +21 7.14 MB ralxz

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Boomtokn @snyk-bot