This repository has been archived by the owner on Aug 11, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Deprecated zcash-bitcore-lib containes an outdated lodash with security vulnerability #24
Labels
exp/expert
Having worked on the specific codebase is important
help wanted
Seeking public contribution on this issue
P2
Medium: Good to have, but can wait until someone steps up
status/ready
Ready to be worked
Comments
If there's a better Zcash library, I'm happy to switch to another one. |
@noman-land Sorry I didn't follow the links. I wasn't aware that the library we were using was officially deprecated. It's cool that it links to another (https://github.com/zcash-hackworks/bitcore-lib-zcash). If anyone wants to give that one a spin (or any otherl lib), PRs are welcome :) |
I don't know if I'd feel comfortable making the changes but it's worth mentioning that the lib you linked to also has an outdated version of lodash 🤦♂️ . |
I've spent a bit of time to find a library that can parse Zcash blocks/transactions that has working tests. I couldn't find any. So if anyone has/finds one, please let me know. |
daviddias
added
help wanted
Seeking public contribution on this issue
status/ready
Ready to be worked
exp/expert
Having worked on the specific codebase is important
P2
Medium: Good to have, but can wait until someone steps up
labels
Oct 27, 2018
alanshaw
pushed a commit
to ipfs/js-ipfs
that referenced
this issue
Oct 24, 2019
We _need_ to do something until ipld/js-ipld-zcash#24 gets resolved. npm is currently reporting that `ipfs` has security vulnerabilities because of this and users are [opening issues](#2526) to report it. [The issue](ipld/js-ipld-zcash#24) has been open for over a year so we can't assume anything is going to be resolved any time soon 😢. This PR moves `ipld-zcash` from `dependencies` to `devDependencies` for two reasons: 1. So `ipld-zcash` is not installed by default when people `npm i ipfs` (and so they won't get a security warning) 1. So we can still generate the prebuilt browser bundle that includes ALL IPLD formats In `ipld-nodejs.js` we try/catch around the require to `ipld-zcash` allowing users to simply install the dependency in their project to retain the previous behaviour (and not make any code changes). BREAKING CHANGE: `ipld-zcash` is no longer installed by default. If you need to work with zcash IPLD nodes, simply `npm i ipld-zcash` in your project and everything will work as before. License: MIT Signed-off-by: Alan Shaw <[email protected]>
With #46 merged we no longer use zcash-bitcore-lib. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
exp/expert
Having worked on the specific codebase is important
help wanted
Seeking public contribution on this issue
P2
Medium: Good to have, but can wait until someone steps up
status/ready
Ready to be worked
I'm getting a few low severity security warnings from
npm audit
for [email protected] because this lib is using a deprecatedzcash-bitcore-lib
(npm) (github) which has an old version of lodash in it.Would you consider using a more up to date fork that has a newer lodash? It appears that versions >=4.17.5 have resolved this issue.
The text was updated successfully, but these errors were encountered: