Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge pull request #55 from BitGo/CT-698-eos #56

Open
wants to merge 52 commits into
base: CT-698-eos
Choose a base branch
from
Open

Merge pull request #55 from BitGo/CT-698-eos #56

wants to merge 52 commits into from

Conversation

6paklata
Copy link

CT-698 Add EOS signing logic

Motivation

Overview Of Changes

dannydeezy and others added 30 commits July 16, 2019 17:37
@dannydeezy
Merge pull request #55 from BitGo/CT-698-eos
9f48c83 
CT-698 Add EOS signing logic
@CapnMigraine
CT-856 - Bump SDK version to 7.0.0-rc.0
9d436d3
@dannydeezy
Merge pull request #57 from BitGo/CT-856.bump-sdk-version
dba9fee 
CT-856 - Bump SDK version to 7.0.0-rc.0
[TRON-58] Add KRS Support for TRON
a55d5e6 
Adds @bitgo/account-lib dependency
Adds signing helper for TRON
Adds a test for signing a TRON tx
Add Statics support
f888c9f 
We were differentiating testnet vs mainnet coins based on whether they
start with a 't' before. This doesn't work anymore with TRON (symbol
trx), so instead we now use statics
@marktoda
Merge pull request #59 from BitGo/TRON-58-add-krs-support-for-tron
fadf3b7 
[TRON-58] Add KRS Support for TRON
@longnguyenTM
[ISSUE-60] Refactor the signing functions in sign.js to reduce boiler…
bf62d71 
…plate code.
@longnguyenTM
correct mis-spelled words and change parameter name.
abb852f
@cooncesean
Merge pull request #62 from longnguyenTM/issue60
981b7b3 
Interview coding challenge  - Long Nguyen
@Sword-Smith
Add ethereumjs-util as explicit dependency
92fcff3 
This bumps the used ethereumjs-util from 4.5.0 to 6.2.0. The existing
dependency bitgo already depended on ethereumjs-util which is why an
older version was already included in the dependency tree.
@Sword-Smith
Fix bug in getBackupSigningKey
f008f34 
This function was missing a function application at the end, meaning that
its return type was function and not string as it should be. This has
now been fixed.

It took me a bit too long to find this bug so included in this commit is
a small change to make the code a bit less compact by declaring the
return value from getBackupSigningKey to an appropriately named local
variable.

Also improves nomenclature in getBackupSigningKey by explictly
distinguishing between regular private keys and extended private keys.
@Sword-Smith
Add check for valid XLM master seed
8935531 
Add a check to verify that the XLM master seed is a valid seed for key
derivation. Stellar Ecosystem Proposal 5 specifies (through BIP39 and
BIP32) that valid seeds are between 128 bit and 512 bit.

This fixes a bug when running the tests under latest node version
(12.16.1) where the function utils.js/deriveChildKey would accept an
invalid seed and derive child keys from this seed.

This fix has been tested to work under both node v6 (current
production version) and latest version (v12).
@Sword-Smith
Add minor documentation improvements
f357171 
Clarifies two ETH test cases and adds/improves documentation to various
functions.
@Sword-Smith
Utilize signature module from ethereumjs-util
bfb2e7c 
This replaces the use of the `sign` function in `ethereumjs-tx` with the
`ecsign` function from the `ethereumjs-util` package as requested in

We currently chose not to use EIP155 when generating the signatures. To
add this, we would need to know the chain ID for the Ethereum chain we are
signing the transaction. Activating EIP155 would make the generated
signatures replay-resistant on other Ethereum blockchains.
@tylerlevine
Merge pull request #66 from Sword-Smith/master
2a498b6 
Fix broken unit tests
@james8nguyen
Implement initial Drone CI for this KRSv2 project.
1711aef 
Add the following support in .drone.yml:
1) Support for both node versions 10 and 6.
2) Support for npm audit.
3) Support for eslint.

JIRA: BG-18745
@drGrove @james8nguyen
Get drone builds into a working state
e8ddf11 
Issues with the configuration of drone caused it to throw an unmarshall
error. Moved to jsonnet as it keeps things a little more locked in and
easier to do more creative things in the future.

Ticket: BG-18745
@james8nguyen
Moved audit to node v10 pipeline and updated package-lock.json.
88f53b4 
JIRA: BG-18745
@james8nguyen
Upgrade the following depedencies and resolve vulnerabilities:
5779646 
* SDK bitgo 10.0.0
* bitgo/statics 3.4.2
* bitgo/account-lib 1.0.2
* stellar-hd-wallet 0.0.10 (result of npm audit fix)
* mocha 7.1.1 (result of npm audit fix)

JIRA: BG-19209
@james8nguyen
Enable support for node 12 and disable for node 6
3c908f6 
Added the following changes:
1. Obsolete build/test support for Node 6 (BG-19294).
2. Add build/test support for Node 12 (BG-19213).
3. Disable eslint temporarily and move into another PR per Tyler's request (BG-19296).

JIRA: BG-19294,BG-19213
@james8nguyen
BG-18658 Merge pull request #70 from BitGo/BG-19209-node10
0c65d77 
BG-18658 Implement CI pipeline for our KRSv2 project.
@james8nguyen
Enable lint test for KRSv2
d7bf444 
JIRA: BG-19296
Fix lint
50947c9
Fix Tests
2541dba 
Some tests were broken, causing CI to fail and blocking merges. This
commit fixes those tests:
- Fix usage of bitgo-account-lib interface since it has changed
- Yield promises

Ticket: BG-19296
@tylerlevine
Merge pull request #73 from BitGo/BG-19296-enable-lint
7d98115 
Fix Tests and Lint
@aaldemir
fix(package.json): update packages importing elliptic to bump elliptic
dbe3f7b 
version, add useFindAndModify spec to findOneAndUpdate query
@aaldemir
fix(package.json): update @bitgo/account-lib package to ^2.13.0
58fb05a
@aaldemir
fix(package.json): update packages importing elliptic and changed por…
22c90be 
…t in testutils file
@tylerlevine
Merge pull request #88 from aaldemir/BG-23533-bump-elliptic-dependencies
76462f0 


fix(package.json): update packages importing elliptic
@OttoAllmendinger
chore(package): use @bitgo/utxo-lib
618184e 
Use new import path

Issue: BG-34381
OttoAllmendinger and others added 12 commits September 6, 2021 15:06
@OttoAllmendinger
chore(gitignore): ignore iml files
30d962e 
Created by IntelliJ

Issue: BG-34381
@OttoAllmendinger
chore(test): update zcash expected transaction bytes
5e09a21 
The updated utxolib uses a different `consensusBranchId` for zcash
and thus serializes the transaction differently.

Issue: BG-34381
@OttoAllmendinger
chore(app): remove prova-lib
b8ebc75 
Issue: BG-34381
@OttoAllmendinger
chore(app): use standard import name for utxolib
aa44234 
Issue: BG-34381
@OttoAllmendinger
fix(app): do not use HDNode.fromPrivateKeyBuffer()
6948de1 
There is no plausible use case where we want to instantiate a bip32
node from just the private key buffer (without chaincode).

Issue: BG-34381
@OttoAllmendinger
chore(app): use bip32 instead of HDNode
336dea0 
HDNode will be deprecated in a future utxolib version

Issue: BG-34381
@OttoAllmendinger
fix(app): improve error message
94d99c6 
Issue: BG-34381
@OttoAllmendinger
fix(root): bump bitgo deps
6b4d02c 
Throwing stuff and seeing what sticks

Issue: BG-34381
@OttoAllmendinger
fix(app,test): fix eslint errors
055d881 
Issue: BG-34381
@tylerlevine
Merge pull request #90 from BitGo/BG-34381.use-bitgo-dep
3b4998e 
chore(package): use @bitgo/utxo-lib
@bgdeploybot @sandeeppanchal-bitgo
chore(renovate): initial renovate configuration
f011d5d
@therealdwright
Merge pull request #116
70f3adb
@socket-security Socket Security
Copy link

socket-security bot commented Feb 1, 2024
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@bitgo/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +1302 472 MB mmcshinsky-bitgo
npm/@bitgo/[email protected] None 0 326 kB perrybitgo
npm/@bitgo/[email protected] Transitive: environment, filesystem +43 3.14 MB tylerlevine
npm/[email protected] Transitive: environment, filesystem +27 2.64 MB junderw
npm/[email protected] environment Transitive: eval, filesystem, network, shell, unsafe +1396 639 MB tylerlevine
npm/[email protected] filesystem, unsafe Transitive: environment, eval, shell +110 17.3 MB eslint
npm/[email protected] Transitive: environment, filesystem +33 2.17 MB holgerd77
npm/[email protected] environment, filesystem Transitive: eval, shell +143 7.21 MB craigtaub
npm/[email protected] Transitive: environment, filesystem +28 44.7 MB chatch

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@socket-security Socket Security
Copy link

socket-security bot commented Feb 1, 2024
edited
Loading

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Protestware/Troll package npm/[email protected]
  • Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node -e "try{require('./_postinstall')}catch(e){}" || exit 0
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node scripts/postinstall
Native code npm/[email protected]
Native code npm/[email protected]
Native code npm/[email protected]
Install scripts npm/[email protected]
  • Install script: install
  • Source: npm run build || echo "secp256k1 bindings compilation fail. Pure JS implementation will be used."
Native code npm/[email protected]
Install scripts npm/[email protected]
  • Install script: install
  • Source: npm run rebuild || echo "Couldn't build bindings. Non-native version used."
Native code npm/[email protected]
Native code npm/[email protected]
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: echo "WARNING: the web3-bzz api will be deprecated in the next version"
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: echo "WARNING: the web3-shh api will be deprecated in the next version"
Native code npm/[email protected]
Install scripts npm/[email protected]
  • Install script: install
  • Source: npm run rebuild || echo "Keccak bindings compilation fail. Pure JS implementation will be used."
Native code npm/[email protected]
Native code npm/[email protected]
Git dependency npm/[email protected]
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: echo "WARNING: the web3-shh and web3-bzz api will be deprecated in the next version"

View full report↗︎

Next steps

What is protestware?

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Consider that consuming this package my come along with functionality unrelated to its primary purpose.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What are git dependencies?

Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

Publish the git dependency to npm or a private package repository and consume it from there.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

dependabot bot and others added 10 commits February 6, 2024 16:48
@dependabot
Bump protobufjs from 6.11.2 to 6.11.4
2fc77e6 
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 6.11.2 to 6.11.4.
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/protobufjs/protobuf.js/commits)

---
updated-dependencies:
- dependency-name: protobufjs
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dhoffmann
Merge pull request #119 from BitGo/dependabot/npm_and_yarn/protobufjs…
11c9d96 
…-6.11.4

Bump protobufjs from 6.11.2 to 6.11.4
@dependabot
Bump mongoose from 5.13.3 to 5.13.20
44f602b 
Bumps [mongoose](https://github.com/Automattic/mongoose) from 5.13.3 to 5.13.20.
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md)
- [Commits](Automattic/mongoose@5.13.3...5.13.20)

---
updated-dependencies:
- dependency-name: mongoose
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump minimist from 1.2.5 to 1.2.8
a6aacb9 
Bumps [minimist](https://github.com/minimistjs/minimist) from 1.2.5 to 1.2.8.
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump webpack from 5.52.0 to 5.90.1
cf0eb65 
Bumps [webpack](https://github.com/webpack/webpack) from 5.52.0 to 5.90.1.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v5.52.0...v5.90.1)

---
updated-dependencies:
- dependency-name: webpack
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dhoffmann
Merge pull request #127 from BitGo/dependabot/npm_and_yarn/minimist-1…
1878920 
….2.8

Bump minimist from 1.2.5 to 1.2.8
@dhoffmann
Merge pull request #128 from BitGo/dependabot/npm_and_yarn/webpack-5.…
8af0ef6 
…90.1

Bump webpack from 5.52.0 to 5.90.1
@dhoffmann
Merge pull request #126 from BitGo/dependabot/npm_and_yarn/mongoose-5…
4a894e1 
….13.20

Bump mongoose from 5.13.3 to 5.13.20
@KartikKSrivastava
chore: enable github advanced security workflow
adc6cfd 
This PR enable github advanced security workflow

Ticket: DO-8117
@the-smooth-operator
Merge pull request #134 from BitGo/codeql
48dc710 
chore: enable github advanced security workflow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.