Security issue: hdkey package

Question

Security issue: hdkey package

paulmillr opened this issue a year ago · comments

It's pretty old and uncool. Uses a lot of sub-deps. Unaudited subdeps which could be updated by different authors is a supply chain security issue.

The suggestion is to switch to https://github.com/paulmillr/scure-bip32 which is being used by ethereum-cryptography in your dep tree. Scure has been audited, paid for by EF.

bip39 could also be replaced with scure-bip39.

cl · Answer 1 · Thu May 11 2023 08:59:57 GMT+0800 (China Standard Time)

duplicate of #1526

Paul Miller · Answer 2 · Thu May 11 2023 09:14:31 GMT+0800 (China Standard Time)

not really a duplicate, more an extension: hdkey != bip39

Lazy · Answer 3 · Tue May 23 2023 20:14:24 GMT+0800 (China Standard Time)

I feel like the priority of this should be bumped