Skip to content
This repository has been archived by the owner on Oct 7, 2024. It is now read-only.

integrate MM @scure/bip39 fork once released #67

Merged
merged 6 commits into from
Sep 27, 2022

Conversation

adonesky1
Copy link
Contributor

@adonesky1 adonesky1 commented Aug 23, 2022

While seeking to remove extraneous wordlists from the extension bundle as part of the MV3 effort,I recalled that we had discussed switching our BIP39 library from bitcoinjs/bip39 to @scure/bip39.

This PR pulls in the new MetaMask owned fork of @scure/bip39 to preserve the security requirement that we store and pass mnemonics in a format other than plain-text/string. As part of the transition to this implementation, mnemonics will be stored/passed as Uint8Arrays instead of Buffers.

Modifications to accommodate this interface change are applied to generateRandomMnemonic, serialize

This PR also removes ethereumjs-util as a direct dependency and moves it (as upgraded version - now named @ethereumjs/util) to devDependency.

The failing socket security report are pointing to all pre-existing and un-altered packages.

A follow up PR (which I've started work on) will be submitted soon to replace ethereumjs-wallet and the old version of ethereum-cryptography which socket-security is complaining about.

@socket-security
Copy link

socket-security bot commented Aug 23, 2022

Socket Security Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 New install scripts detected

A dependency change in this PR is introducing new install scripts to your install step.

Package Script field Location
[email protected] (added) binding.gyp package.json via [email protected], @jest/[email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (added) binding.gyp package.json via [email protected], @jest/[email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (added) install package.json via [email protected], @jest/[email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (added) install package.json via [email protected], @jest/[email protected], [email protected], [email protected], [email protected], [email protected]
🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Package Location
[email protected] (added) package.json via [email protected], @jest/[email protected], [email protected], [email protected], [email protected], [email protected]
[email protected] (added) package.json via [email protected], @jest/[email protected], [email protected], [email protected], [email protected], [email protected]
Socket.dev scan summary
Issue Status
Did you mean? ✅ no new possible package typos
Install scripts ⚠️ 4 new install scripts detected
Telemetry ✅ no new telemetry
Troll package ✅ no new troll packages
Malware ✅ no new malware
Native code ⚠️ 2 new native modules detected
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] [email protected]

Ignoring: [email protected], [email protected]

Powered by socket.dev

Comment on lines +10 to +12
rules: {
'node/no-unpublished-require': 0,
},
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For future reference, we can leave this rule enabled add add files to package.json instead.

The rule gets confused between production and test modules unless you are explicit about what is published. So far in this package we've been publishing the test files, so the rule assumes they're part of the package, and hence that we've made a mistake by adding modules used in tests as devDependencies.

By ensuring the tests aren't published, we resolve the warnings from this rule as well.

@adonesky1 adonesky1 force-pushed the integrating-scure/bip39 branch from c3df4eb to 0a084e1 Compare August 25, 2022 20:08
@adonesky1 adonesky1 force-pushed the integrating-scure/bip39 branch 3 times, most recently from 8b21927 to 4bcd4a9 Compare September 13, 2022 18:51
@adonesky1 adonesky1 force-pushed the integrating-scure/bip39 branch 2 times, most recently from e0d342c to 40cdb31 Compare September 14, 2022 19:57
@adonesky1 adonesky1 marked this pull request as ready for review September 15, 2022 22:21
@adonesky1 adonesky1 requested a review from a team as a code owner September 15, 2022 22:21
Copy link
Member

@kumavis kumavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see tests that show the generated accounts (eg from 100 SRPs) match those generated by the old library given the same SRP

@kumavis
Copy link
Member

kumavis commented Sep 16, 2022

@adonesky1
Copy link
Contributor Author

I'd like to see tests that show the generated accounts (eg from 100 SRPs) match those generated by the old library given the same SRP

Actually I'm not sure I follow how this has to do with the changes here... We are changing the package that generates the SRPs not logic that derives the accounts

@adonesky1
Copy link
Contributor Author

adonesky1 commented Sep 16, 2022

ah I suppose we could compare the derived outputs of mnemonicToSeedSync from the old bip39 version vs. the new.

@adonesky1
Copy link
Contributor Author

adonesky1 commented Sep 16, 2022

@kumavis hows this look: 91ee4c8 ?

@adonesky1 adonesky1 force-pushed the integrating-scure/bip39 branch from 69e8e0f to 91ee4c8 Compare September 16, 2022 23:39
@adonesky1 adonesky1 requested a review from kumavis September 16, 2022 23:41
@adonesky1
Copy link
Contributor Author

The error on node v 18.9.0 is new... not sure about it yet. But will dig in. I am planning to remove ethereumjs/wallet (where its thrown) in the next PR also

@adonesky1
Copy link
Contributor Author

The error on node v 18.9.0 is new... not sure about it yet. But will dig in. I am planning to remove ethereumjs/wallet (where its thrown) in the next PR also

yeah so the issue is not introduced in this PR, tests on main fail on node v18

@adonesky1
Copy link
Contributor Author

@kumavis here is a ticket for the follow up work: MetaMask/metamask-extension#15907

@kumavis
Copy link
Member

kumavis commented Sep 27, 2022

@SocketSecurity ignore [email protected]

Copy link
Member

@kumavis kumavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

noice

@kumavis
Copy link
Member

kumavis commented Sep 27, 2022

yarn.lock Show resolved Hide resolved
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants