Calling soft auditors to vet v1.0.1 on npm

[d13co]

Hi,

If you are well versed enough in Javascript to go through the code on NPM and confirm that it doesn't include anything nasty that could exfil a user's seed phrase, that would help a lot.

The package is intended to be fixed @ 1.0.0 1.0.1* version, so if you want to audit the code on npm which is immutable and drop a comment in this issue about it doing what it says on the tin/README, that would be appreciated by myself and skeptical potential users.

* 1.0.1 published after feedback below

[d13co]

Things to check:

.js files:

• do not do network calls
• do not save the seed phrase anywhere

package.json:

• only imports the algosdk package
• does not run any custom stuff like postinstall scripts

[guanzo]

For more immutability I would pin the algosdk version to 1.18.1 (remove the ^). That will avoid installing future malicious versions, however unlikely but possible.

[d13co]

Fair enough - I didn't intend to change this but why not. 1.0.1 published with fixed algosdk.
If you think the code is benign please leave a comment to this effect.
Thanks!