Security issue: hdkey package
paulmillr opened this issue · comments
Paul Miller commented
It's pretty old and uncool. Uses a lot of sub-deps. Unaudited subdeps which could be updated by different authors is a supply chain security issue.
The suggestion is to switch to https://github.com/paulmillr/scure-bip32 which is being used by ethereum-cryptography
in your dep tree. Scure has been audited, paid for by EF.
bip39
could also be replaced with scure-bip39.
Paul Miller commented
not really a duplicate, more an extension: hdkey != bip39
Lazy commented
I feel like the priority of this should be bumped