blocknative
[security] Replace crypto-es with latest crypto-js v4.2.0
Description
This update addresses a crucial security concern in the hashing strategy by altering the default hash algorithm and iterations for PBKDF2. The previous configuration, which relied on the defaults provided by crypto-es, posed potential security weaknesses due to less robust defaults.
Key Changes:
Switched to crypto-js: We have transitioned from using crypto-es to crypto-js. This decision was driven by the wider adoption and community support for crypto-js. Its extensive use in the industry makes it a more reliable choice for our cryptographic operations.
More info:
PBKDF2 is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).
Unlike the modern webcrypto standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 1993, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, OWASP recommends 1,300,000
Checklist
- [x] The version field in
package.jsonis incremented following semantic versioning - [x] The box that allows repo maintainers to update this PR is checked
- [x] I tested locally to make sure this feature/fix works
@sirtimid we are not using PBKDF2, so I am a little confused as to why it is mentioned as a reason of why to switch libraries? Could you please point us to a reference of the "crucial security concern" with the crypto-es SHA1 function that is being used in the code?
This is probably regarding this GH (dependabot) advisory: https://github.com/advisories/GHSA-mpj8-q39x-wq5h
It's nice to know that the package isn't using the vulnerable function, but it would be even better to not have this critical dependabot warning :v:
