Skip to content

chore: fixes critical dependency version elliptic by upgrading browserfy#28

Merged
georgewrmarshall merged 2 commits intomasterfrom
fix/critical-severity
Mar 19, 2025
Merged

chore: fixes critical dependency version elliptic by upgrading browserfy#28
georgewrmarshall merged 2 commits intomasterfrom
fix/critical-severity

Conversation

@georgewrmarshall
Copy link

@georgewrmarshall georgewrmarshall commented Mar 19, 2025

Description

This PR addresses a critical security vulnerability in the elliptic package (CVE-2023-49276), which is a transitive dependency through browserify. The vulnerability is identified in Security Advisory #8.

Changes

  • Upgraded browserify from ^17.0.0 to ^17.0.1
  • This update includes the patched version of elliptic (6.6.1) which fixes the vulnerability

Dependency Path

browserify@17.0.1
└─┬ crypto-browserify@3.12.0
  ├─┬ browserify-sign@4.2.2
  │ └── elliptic@6.6.1
  └─┬ create-ecdh@4.0.4
    └── elliptic@6.6.1

Testing

  • Verified the demo build continues to work: npm run build-demo
  • Confirmed the security vulnerability is resolved
  • Package functionality remains unchanged as this only affects dev dependencies

Screenshots

Before

Screenshot 2025-03-19 at 12 26 39 PM

After

Screenshot 2025-03-19 at 12 22 16 PM

Security

This update resolves a critical severity vulnerability that could potentially allow attackers to recover private keys through a timing attack on ECDSA signatures.

Notes

  • This change only affects development dependencies and does not impact production builds of projects using @metamask/jazzicon

@socket-security
Copy link

socket-security bot commented Mar 19, 2025
edited
Loading

New and updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/browserify@17.0.017.0.1 Transitive: environment, eval +146 6.58 MB goto-bus-stop

View full report↗︎

mcmire
mcmire approved these changes Mar 19, 2025
View reviewed changes
Copy link

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@georgewrmarshall georgewrmarshall merged commit 4633b14 into master Mar 19, 2025
12 checks passed
@georgewrmarshall georgewrmarshall deleted the fix/critical-severity branch March 19, 2025 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcmire mcmire mcmire approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@georgewrmarshall @mcmire