https://github.com/stocks29/elliptic-test/blob/master/index.js

Thanks for the feedback. You are correct!
There will be another list of vulnerable libs for which although their sign api is safe, they do allow generating keypairs from uncoupled, potentially unmatched, private and public key material. elliptic will unfortunately be enlisted in the second wave of vulnerable apis due to this. I'll keep this issue open and reference it when the second list is ready (soonish).

Btw, we mention this type of vulnerability in this Reddit post, see sub-points in last bullet-point and we'll need your contribution to find similar libs. Amazing input, thanks!