You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm uncertain if the ethersproject has combined all their packages into one, or dropped their dependency on elliptic, but it doesn't appear in their 6.x package declaration anymore.
The latest @ethersproject/signing-key in their 5.7.x series, 5.7.2, still depends on the same elliptic version.
Thanks @pirj. We're removing this dependency in #56.
Please note that the elliptic package is not used by @openzeppelin/merkle-tree even though it's included among the transitive dependencies, so it's not affected by the vulnerability.
Dependabot complains that:
If I'm reading it right, the CVE severity is set as critical.
This is fixed in elliptic 6.5.7.
I'm uncertain if the ethersproject has combined all their packages into one, or dropped their dependency on
elliptic, but it doesn't appear in their 6.x package declaration anymore.The latest @ethersproject/signing-key in their 5.7.x series, 5.7.2, still depends on the same elliptic version.
The latest [email protected] (and the
masterbranch) depend onethersprojectdependencies 5.7.How much of a stretch would be to bump ethersproject's dependencies to 6.x?
The text was updated successfully, but these errors were encountered: