[Snyk] Security upgrade bip85 from 0.0.3 to 1.0.0#28
[Snyk] Security upgrade bip85 from 0.0.3 to 1.0.0#28revan-zhang wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-14908844
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "bip38": "2.0.2", | ||
| "bip38grs": "git://github.com/Groestlcoin/bip38grs.git#091975b01679b74dc0a4136bb743fe17791b0151", | ||
| "bip85": "0.0.3", | ||
| "bip85": "1.0.0", |
There was a problem hiding this comment.
🔴 package-lock.json not updated to match bip85 version bump to 1.0.0
The package.json bumps bip85 from 0.0.3 to 1.0.0, but libs/combined/package-lock.json still pins bip85 at version 0.0.3 (see libs/combined/package-lock.json entries under both dependencies and packages). This means npm ci (which respects the lockfile) will still install 0.0.3, making the version bump ineffective. Running npm install would update the lockfile, but the lockfile should be committed as part of this PR to ensure deterministic builds.
Prompt for agents
Run `npm install` (or `npm update bip85`) inside the `libs/combined/` directory to regenerate `libs/combined/package-lock.json` with bip85 version 1.0.0, then commit the updated lockfile alongside the package.json change. Also verify that the bip85 1.0.0 API is compatible with the usage in src/js/index.js (specifically BIP85.fromBase58, deriveBIP39, deriveWIF, deriveXPRV, deriveHex methods), since this is a major version bump that may include breaking changes.
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "bip38": "2.0.2", | ||
| "bip38grs": "git://github.com/Groestlcoin/bip38grs.git#091975b01679b74dc0a4136bb743fe17791b0151", | ||
| "bip85": "0.0.3", | ||
| "bip85": "1.0.0", |
There was a problem hiding this comment.
Lock file not updated, will break npm ci
High Severity
The package.json now specifies bip85 version 1.0.0, but libs/combined/package-lock.json still references version 0.0.3 throughout (both in the packages and dependencies sections). This mismatch will cause npm ci to fail, since it requires the lock file to be in sync with package.json. If npm install is used instead, it may update the lock file — but only if version 1.0.0 actually exists on npm.
| "bip38": "2.0.2", | ||
| "bip38grs": "git://github.com/Groestlcoin/bip38grs.git#091975b01679b74dc0a4136bb743fe17791b0151", | ||
| "bip85": "0.0.3", | ||
| "bip85": "1.0.0", |
There was a problem hiding this comment.
Major version bump may break bip85 API usage
High Severity
Upgrading bip85 from 0.0.3 to 1.0.0 is a semver-major bump, and the Snyk metadata itself flags "isBreakingChange":true. The codebase calls specific APIs — BIP85.fromBase58(), .deriveBIP39(language, length, index).toMnemonic(), .deriveWIF(index).toWIF(), .deriveXPRV(index).toXPRV(), and .deriveHex(bytes, index).toEntropy() in src/js/index.js — whose signatures or return types may have changed in v1.0.0, silently producing incorrect cryptographic output or runtime errors.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
libs/combined/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ELLIPTIC-14908844
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Upgrades a crypto-related dependency with a major version jump, which could introduce API/behavior changes affecting the bundled
bip39-libs.jsbuild or downstream consumers.Overview
Updates the
libs/combinedbundled dependency set by upgradingbip85from0.0.3to1.0.0to address a reported vulnerability in its crypto dependency chain.Written by Cursor Bugbot for commit 1027ce8. This will update automatically on new commits. Configure here.