fix(crypto): bump libsodium wrappers for ESM imports#1683
Conversation
|
Thanks @Chris79OG , we need to audit the new package version before we can merge this, cc @rhyslbw |
rhyslbw
left a comment
There was a problem hiding this comment.
Audit: libsodium-wrappers-sumo 0.7.10 → 0.8.4
Ran a two-pass audit (static review + tarball/runtime inspection). Clean, narrowly-scoped fix for a real ESM-loader bug (#1682), against a dep with a single trusted maintainer, with byte-identical crypto outputs at the SDK's hash/sign call sites. Small change request to pin the version exactly, otherwise good to merge.
Provenance
- Same npm publisher across all 0.7.x and 0.8.x versions:
jedisct1(Frank Denis, author of upstream libsodium-C). No ownership change. - All five 0.8.x tarballs are npm-signed with the same key (
SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U); the keyid delta vs 0.7.10 is npm's own registry signing-key rotation, not a user-controlled change. - 7 distinct upstream contributors between tags
0.7.10and0.8.4(163 commits), all real-named; every non-jedisct1 PR was reviewed and merged by Frank Denis. Sampled non-maintainer diffs match their commit messages.
Tarball contents
- Both
libsodium-wrappers-sumo@0.8.4andlibsodium-sumo@0.8.4contain onlypackage.json,README.md,LICENSE, and four JS/dts files. Noscriptsfield, no pre/post-install hooks, no native blobs (.node/.so/.dylib), nobinentries. - Only network/eval-adjacent strings are canonical Emscripten boilerplate (
require("crypto")for NoderandomBytesfallback;XMLHttpRequest/fetchin the wasm/asm.js loader). Zeroeval(),new Function(), orchild_process. - No transitive surface expansion —
libsodium-sumoremains the only runtime dep, same as 0.7.10.
Vulnerabilities
- OSV reports no advisories for either
libsodium-wrappers-sumoorlibsodium-sumoat any version.
Crypto correctness (the part that matters for a key-derivation/signing dep)
- Bundled native libsodium in 0.8.4 is 1.0.22-RELEASE (legitimate latest upstream, signed by jedisct1).
crypto_generichashsymbol diff between 0.7.10 and 0.8.4: only change ishash_lengthtypinguint → ranged_uint(stricter input validation; identical underlying C call).crypto_generichash(28, pk)andcrypto_generichash(28, pk, null)produce bit-identical 28-byte output — thenullarg is libsodium's canonical "unkeyed BLAKE2b" sentinel.- Verified known-answer vectors against 0.8.4: BLAKE2b-256(empty) =
0e5751c0…12fe3a8, BLAKE2b-256("abc") =bddd813c…8d52319, Ed25519 RFC 8032 seed-1 keypair and detached signature both byte-match the spec. - All other sodium symbols
packages/crypto/srcimports (crypto_scalarmult_ed25519_base_noclamp,crypto_core_ed25519_*,crypto_hash_sha512,crypto_sign_seed_keypair,crypto_sign_detached,crypto_sign_verify_detached,crypto_auth_hmacsha512) remain call-compatible with current usage — no other source changes required.
AngelCastilloB
left a comment
There was a problem hiding this comment.
I pulled the 0.8.4 tarballs and checked their SHA-512 hashes against what the registry reports, both matched exactly, and npm's own signature on the packages verified. I also re-ran our own yarn to recompute the lockfile checksums from a fresh download, and they matched the values in yarn.lock and yarn-project.nix byte-for-byte.
Update packages/crypto/package.json Co-authored-by: Rhys Bartels-Waller <rhyslbw@gmail.com>
d0dd5b0 to
aaf400a
Compare
Summary
@cardano-sdk/cryptofromlibsodium-wrappers-sumo@0.7.10to^0.8.4libsodium-wrappers-sumoandlibsodium-sumonullkey tocrypto_generichashso the package builds against the 0.8 bundled typesVerification
node .yarn/releases/yarn-3.2.1.cjs install --mode=skip-buildnode .yarn/releases/yarn-3.2.1.cjs workspace @cardano-sdk/crypto exec tsc --build srcnode .yarn/releases/yarn-3.2.1.cjs workspace @cardano-sdk/crypto exec tsc -p src/tsconfig.json --outDir ./dist/esm --module es2020 --noEmitnode -e "import('libsodium-wrappers-sumo').then(async m => { const s=m.default||m; await s.ready; const h=s.crypto_generichash(28, new Uint8Array([1,2,3]), null); console.log(h.length === 28 ? 'hash ok' : 'bad length '+h.length) })"Note:
yarn workspace @cardano-sdk/crypto buildreaches the TypeScript build, then fails on Windows because the package script uses Unixcp.Closes #1682