Skip to content

Commit

Permalink
fix(deps): elliptic upgrade to >6.5.3 for CVE-2020-28498
Browse files Browse the repository at this point in the history 
The updates here were automatically done by running the
`npx lerna-audit` shell command in the project root.

GHSA-r9p9-mrjm-926w

CVE-2020-28498
moderate severity
Vulnerable versions: < 6.5.4
Patched version: 6.5.4
The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
  • Loading branch information
@petermetz
petermetz committed Apr 16, 2021
1 parent a285b96 commit d75b9af
Show file tree
Hide file tree
Showing 13 changed files with 2,174 additions and 3,341 deletions.
224 changes: 142 additions & 82 deletions examples/cactus-example-supply-chain-backend/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit d75b9af

Please sign in to comment.