Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Supply chain protection is bad #1200

Open
paulmillr opened this issue Nov 9, 2023 · 0 comments
Open

Security: Supply chain protection is bad #1200

paulmillr opened this issue Nov 9, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@paulmillr
Copy link

paulmillr commented Nov 9, 2023
edited

node_modules directory is 195.4 megabytes. All dependencies are using open-ended version ranges.

Any rogue dependency update (NPM acct of any of your dependency developer getting hacked) and near-api-js will spread malware and trojans, steal private keys. It's obvious 195 MBs of code has not been fully audited, so you don't even know what's there.

Steps required to fix:

  1. Lock-down dependency versions, ensure the updates are rare
  2. Reduce amount of dependencies. For example, bn.js, which is security-critical since it's used in crypto, can be completely removed.

These actions were done in ethereumjs libraries a long time ago.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
NEAR DevX
Status: Backlog 🥶
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paulmillr