From 840834e833f9b077e0f29828140cc8cd91be3ee2 Mon Sep 17 00:00:00 2001 From: Dawid Sowa Date: Thu, 17 Oct 2024 16:52:46 +0200 Subject: [PATCH] Update elliptic to 6.5.7 (CVE-2024-42461) (#206) * Update elliptic to 6.5.7 (CVE-2024-42461) In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. See https://nvd.nist.gov/vuln/detail/CVE-2024-42461 https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-7577918 --- .github/workflows/ci.yaml | 65 ++++++++++++++++----------------------- Makefile | 4 +-- package.json | 12 ++++---- 3 files changed, 35 insertions(+), 46 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dee68ec..206a6fe 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -18,12 +18,21 @@ jobs: - windows-latest steps: - name: Fetch code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: submodules: true + - name: Get minimal Node.js version from package.json + id: node-version + run: echo "::set-output name=version::$(node -p 'require("./package.json").engines.node.match(/(\d+)\..*$/)[1]')" + + - name: Use Node.js ${{ steps.node-version.outputs.version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.node-version.outputs.version }} + - name: Install dependencies - run: yarn install --ignore-scripts + run: npm install --ignore-scripts - name: Build addon if: runner.os != 'Linux' @@ -33,33 +42,11 @@ jobs: if: runner.os == 'Linux' run: make build-addon-linux - - name: Get minimal Node.js version from package.json (Linux & macOS) - id: node-version-nix - if: runner.os != 'Windows' - run: echo "::set-output name=version::$(node -p 'require("./package.json").engines.node.match(/(\d.*)$/)[0]')" - - - name: Use Node.js ${{ steps.node-version-nix.outputs.version }} (Linux & macOS) - if: runner.os != 'Windows' - uses: actions/setup-node@v1 - with: - node-version: ${{ steps.node-version-nix.outputs.version }} - - - name: Get minimal Node.js version from package.json (Windows) - id: node-version-win - if: runner.os == 'Windows' - run: echo "::set-output name=version::$(node -p 'require(\"./package.json\").engines.node.match(/(\d.*)$/)[0]')" - - - name: Use Node.js ${{ steps.node-version-win.outputs.version }} (Windows) - if: runner.os == 'Windows' - uses: actions/setup-node@v1 - with: - node-version: ${{ steps.node-version-win.outputs.version }} - - name: Run tests for addon run: make test-tap - name: Upload prebuilds - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v4 with: name: addon-${{ runner.os }} path: prebuilds @@ -70,30 +57,34 @@ jobs: runs-on: ubuntu-latest steps: - name: Fetch code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: submodules: true - name: Install dependencies - run: yarn install --ignore-scripts + run: npm install --ignore-scripts - name: Download macOS addon - uses: actions/download-artifact@v1 + uses: actions/download-artifact@v4 with: name: addon-macOS - name: Download Linux addon - uses: actions/download-artifact@v1 + uses: actions/download-artifact@v4 with: name: addon-Linux - name: Download Windows addon - uses: actions/download-artifact@v1 + uses: actions/download-artifact@v4 with: name: addon-Windows - name: Move addons to one folder - run: mkdir prebuilds && mv ./addon-*/* ./prebuilds/ + run: | + mkdir prebuilds + mv darwin-arm64 prebuilds + mv linux-x64 prebuilds + mv win32-x64 prebuilds - name: Build package run: make package @@ -103,7 +94,7 @@ jobs: run: echo "::set-output name=version::$(node -p 'require("./package.json").version')" - name: Upload package - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v4 with: name: package path: secp256k1-${{ steps.pkg-version.outputs.version }}.tgz @@ -113,11 +104,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Fetch code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: fetch-depth: 1 - - uses: actions/cache@v1 + - uses: actions/cache@v4 id: cache with: path: clang @@ -137,12 +128,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Fetch code - uses: actions/checkout@v1 - with: - fetch-depth: 1 + uses: actions/checkout@v4 - name: Install dependencies - run: yarn install --ignore-scripts + run: npm install --ignore-scripts - name: Run lint command run: make lint-js diff --git a/Makefile b/Makefile index 4057293..f852c6d 100644 --- a/Makefile +++ b/Makefile @@ -9,10 +9,10 @@ prebuildify-cross = ./node_modules/.bin/prebuildify-cross # hack, otherwise GitHub Actions for Windows: # '.' is not recognized as an internal or external command, operable program or batch file. build-addon: - $(prebuildify) --target node@10.0.0 --napi --strip && node -p "process.platform" + $(prebuildify) --target node@18.0.0 --napi --strip && node -p "process.platform" build-addon-linux: - $(prebuildify-cross) -i centos7-devtoolset7 -i alpine --target node@10.0.0 --napi --strip + $(prebuildify-cross) -i centos7-devtoolset7 -i alpine --target node@18.0.0 --napi --strip nyc = ./node_modules/.bin/nyc diff --git a/package.json b/package.json index e950e1d..8de56bf 100644 --- a/package.json +++ b/package.json @@ -32,15 +32,15 @@ "install": "node-gyp-build || exit 0" }, "dependencies": { - "elliptic": "^6.5.4", - "node-addon-api": "^2.0.0", + "elliptic": "^6.5.7", + "node-addon-api": "^5.0.0", "node-gyp-build": "^4.2.0" }, "devDependencies": { - "node-gyp": "^5.0.7", + "node-gyp": "=10.1.0", "nyc": "^15.0.0", - "prebuildify": "^5.0.0", - "prebuildify-cross": "^4.0.2", + "prebuildify": "^6.0.1", + "prebuildify-cross": "github:fanatid/prebuildify-cross#9f7af67698f06e07d42304d9813a6f19aee5812c", "standard": "^14.3.1", "tap-dot": "^2.0.0", "tape": "^4.10.1", @@ -48,7 +48,7 @@ "yargs": "^15.0.2" }, "engines": { - "node": ">=10.0.0" + "node": ">=18.0.0" }, "gypfile": true }