Skip to content

Upgrade secp256k1 to >= 4.0.4 to address CVE-2024-48930 #150

New issue
New issue
Open
Open
Upgrade secp256k1 to >= 4.0.4 to address CVE-2024-48930#150
Labels
team-wallet-frameworkwf-security
@mcmire

Description

@mcmire
mcmire
opened on Oct 29, 2024

secp256k1 is not a direct dependency of this project; it shows up in the dependency tree via ganache. ganache, and thus secp256k1, are development-only dependencies (they are used only for tests).

Unfortunately because development of ganache has ended, we cannot upgrade it to a version that uses a higher version of secp256k1. We may have to come up with another way of upgrade secp256k1.

Acceptance Criteria

  • yarn why secp256k1 should display no instances of secp256k1 using version < 4.0.4.

References

See security advisory: https://github.com/MetaMask/eth-token-tracker/security/dependabot/31

Metadata

Metadata

Assignees

No one assigned

    Labels

    team-wallet-frameworkwf-security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions