Safe Buffer usage

[dcousens]

@fanatid review would be appreciated 👍 .

Non-controversial, but, sensitive and I'd like at least 2 extra eyes since it touches the ECDSA module.

This is not a breaking change (we're already at a minimum of Node 4.5.0)

[fanatid]

I like from/alloc/allocUnsafe, but this is not supported by node < 4.5.0 :(
do you sure about this?

[dcousens]

@fanatid we already bumped to 4.5.0 minimum with the 3.0.0 release whether we like it or not, as we use bs58check@2.0.0 ... we could revert that if necessary, but doesn't change the fact that this PR, right now, isn't a breaking change.

Personally, I'd rather patch the CHANGELOG to reflect #741

[dcousens]

So I guess this PR #750 was based on the wrong version number then... it should have been 4.5.0?

[fanatid]

extra parentheses for readable?

[dcousens]

standard@latest warns on these, haven't bumped yet in repository though - indeed it is just readability

[dcousens]

Should we use .alloc in places without fixed length? (aka, potentially malicious user input?)

[fanatid]

Currently engines.node is >=4.0.0, but all nodes < 4.5.0 not support from/alloc/allocUnsafe ...
https://github.com/bitcoinjs/bitcoinjs-lib/blob/v3.0.0/package.json#L7

[fanatid]

I see two variants in this PR: Buffer.alloc(length) and Buffer.allocUnsafe(length). Can you choose one?

[dcousens]

@fanatid I've used Buffer.alloc all through the tests... and Buffer.allocUnsafe in parts of the code where were previously using new Buffer; so no change.

We should probably only need need Buffer.alloc in cases of user input no?

[fanatid]

allocUnsafe (from docs) uses internal memory pool, maybe we should use alloc everywhere? (at least in bitcoinjs-lib)

[dcousens]

I think this code is tested well enough that we can use both?

[dcousens]

Wait... bs58check originally broke because it relied on bs58 [which uses base-x] which had the Buffer.from introduced by mistake... but that has since been reverted and we only lost 0.12... so actually this is a breaking change.

Blimey.
Waiting on travis to confirm.

[fanatid]

travis will be fine, because 4 there is a link to latest 4.x

[fanatid]

base-x was bumped correctly https://github.com/cryptocoinjs/base-x/blob/v3.0.0/package.json#L41

[dcousens]

@fanatid only after a screw around.
Hence my confusion; and why yes, this is a breaking change.

Well, I guess this isn't merging any time soon then. Ha.

[dcousens]

Re-targeting 3.0.0 by using safe-buffer

[dcousens]

Rebased, using safe-buffer and good to merge for a patch release