Update Onboard Ledger Connect Kit deps #2027
Comments
tuckerchapin
changed the title
|
Blocknative’s Web3-Onboard pulls in the latest Ledger Connect Kit update. It is now pulling in 1.1.8. Please ensure you are using the latest version of Web3-Onboard let us know if you have any questions We are working closely with the Ledger team as they improve and update their processes for the Ledger dependencies. According to the Ledger team the malicious software was only delivered for 5 hours and believed to only be active for two - https://twitter.com/Ledger/status/1735326240658100414 Also for avoidance of doubt: To confirm you are on the latest version, load dapp, select Ledger from the Web3-onboard option, open developer console, select Sources tab and expand the folder shown in the image below. 
|
|
Can you address whether or not users utilizing the ledger connect kit via web3-onboard are potentially still vulnerable due to browsers cacheing the delivered package? Seems like the max-age for the package is 7 days. If a user doesn't clear his or her cache they could be loading the malicious package. Be safe out there. |
Current Behavior
Ledger recently announced a vulnerability in Ledger Connect Kit which Onboard depends on.
Expected Behavior
No response
Steps To Reproduce
No response
What package is effected by this issue?
@web3-onboard/ledger
Is this a build or a runtime issue?
N/A
Package Version
Latest
Node Version
No response
What browsers are you seeing the problem on?
No response
Relevant log output
No response
Anything else?
No response
Sanity Check
The text was updated successfully, but these errors were encountered: