Fix vulnerabilities

Author: welldan97

package-lock.json

@@ -22,7 +22,7 @@
     "chai-as-promised": "^8.0.2",
     "chai-spies": "^1.1.0",
     "globals": "^15.4.0",
-    "mocha": "11.7.2",
+    "mocha": "11.7.5",
     "prettier": "^3.3.2",
     "tsx": "^4.16.2",
     "turbo": "^2.0.6",
@@ -37,7 +37,8 @@
     "wrap-ansi": "9.0.2",
     "ansi-styles": "6.2.3",
     "supports-color": "10.2.2",
-    "log-symbols": "7.0.1"
+    "log-symbols": "7.0.1",
+    "diff": "8.0.3"
   },
   "workspaces": [
     "packages/*"

package.json

@@ -36,9 +36,9 @@
     "@avalabs/avalanchejs": "^4.0.5",
     "@chorus-one/signer": "^1.0.0",
     "@chorus-one/utils": "^1.0.0",
+    "@noble/curves": "^1.9.2",
     "@noble/hashes": "^1.4.0",
     "ethers": "^6.13.0",
-    "secp256k1": "^5.0.0",
     "bignumber.js": "^9.1.2"
   }
 }

packages/avalanche/package.json

@@ -1,16 +1,18 @@
 import { secp256k1 as avalancheSecp256k1, utils } from '@avalabs/avalanchejs'
 import { checkMaxDecimalPlaces } from '@chorus-one/utils'
 import { Context } from '@avalabs/avalanchejs'
-import secp256k1 from 'secp256k1'
+import { secp256k1 } from '@noble/curves/secp256k1'
 import { AvalancheAddressSet } from './types.d'
 import { BigNumber } from 'bignumber.js'
 
 /** @ignore */
 export function publicKeyToAddress (pk: Uint8Array, hrp: string): AvalancheAddressSet {
-  const pkUncompressed = secp256k1.publicKeyConvert(pk, false)
+  // Convert public key using @noble/curves
+  const point = secp256k1.Point.fromHex(pk)
+  const pkUncompressed = point.toBytes(false)
 
   // NOTE: avalanchejs publicKeyBytesToAddress expects compressed public key!!! (otherwise you get wrong address)
-  const pkCompressed = secp256k1.publicKeyConvert(pkUncompressed, true)
+  const pkCompressed = point.toBytes(true)
 
   // generate C-Chain and P-Chain addresses
   const addrBytes = avalancheSecp256k1.publicKeyBytesToAddress(pkCompressed)

packages/avalanche/src/tx.ts

@@ -34,14 +34,14 @@
   "dependencies": {
     "@chorus-one/signer": "^1.0.0",
     "@chorus-one/utils": "^1.0.2",
-    "@cosmjs/amino": "^0.33.1",
-    "@cosmjs/crypto": "^0.33.1",
-    "@cosmjs/encoding": "^0.33.1",
-    "@cosmjs/math": "^0.33.1",
-    "@cosmjs/proto-signing": "^0.33.1",
-    "@cosmjs/stargate": "^0.33.1",
+    "@cosmjs/amino": "^0.38.1",
+    "@cosmjs/crypto": "^0.38.1",
+    "@cosmjs/encoding": "^0.38.1",
+    "@cosmjs/math": "^0.38.1",
+    "@cosmjs/proto-signing": "^0.38.1",
+    "@cosmjs/stargate": "^0.38.1",
+    "@noble/curves": "^1.9.2",
     "bignumber.js": "^9.1.2",
-    "cosmjs-types": "^0.9.0",
-    "secp256k1": "^5.0.0"
+    "cosmjs-types": "^0.9.0"
   }
 }

packages/cosmos/package.json

@@ -19,7 +19,7 @@ import { connectComet, CometClient } from '@cosmjs/tendermint-rpc'
 
 /** @ignore */
 export class CosmosClient extends StargateClient {
-  static async create (tmClient: CometClient, options: StargateClientOptions): Promise<CosmosClient> {
+  static create (tmClient: CometClient, options: StargateClientOptions): CosmosClient {
     return new CosmosClient(tmClient, options)
   }
 

packages/cosmos/src/client.ts

@@ -30,7 +30,7 @@ import type { Signature, Signer } from '@chorus-one/signer'
 import type { CosmosNetworkConfig, CosmosSigningData } from './types'
 import { Sha256, keccak256, Secp256k1 } from '@cosmjs/crypto'
 
-import secp256k1 from 'secp256k1'
+import { secp256k1 } from '@noble/curves/secp256k1'
 import { SafeJSONStringify, checkMaxDecimalPlaces } from '@chorus-one/utils'
 import { CosmosClient } from './client'
 import BigNumber from 'bignumber.js'
@@ -380,14 +380,18 @@ export async function getEthermintAccount (lcdUrl: string, address: string): Pro
 
 /** @ignore */
 export function publicKeyToAddress (pk: Uint8Array, bechPrefix: string): string {
-  const pkCompressed = secp256k1.publicKeyConvert(pk, true)
+  // Convert public key to compressed format using @noble/curves
+  const point = secp256k1.Point.fromHex(pk)
+  const pkCompressed = point.toBytes(true)
 
   return toBech32(bechPrefix, rawSecp256k1PubkeyToRawAddress(pkCompressed))
 }
 
 /** @ignore */
 export function publicKeyToEthBasedAddress (pk: Uint8Array, bechPrefix: string): string {
-  const pkUncompressed = secp256k1.publicKeyConvert(pk, false)
+  // Convert public key to uncompressed format using @noble/curves
+  const point = secp256k1.Point.fromHex(pk)
+  const pkUncompressed = point.toBytes(false)
 
   const hash = keccak256(pkUncompressed.subarray(1))
   const ethAddress = hash.slice(-20)

packages/cosmos/src/tx.ts

@@ -38,8 +38,8 @@
   "dependencies": {
     "@chorus-one/signer": "^1.0.0",
     "@chorus-one/utils": "^1.0.2",
+    "@noble/curves": "^1.9.2",
     "decimal.js": "^10.4.3",
-    "secp256k1": "^5.0.0",
     "viem": "^2.28.0"
   },
   "type": "module",

packages/ethereum/package.json

@@ -1,5 +1,5 @@
 import type { Signer } from '@chorus-one/signer'
-import secp256k1 from 'secp256k1'
+import { secp256k1 } from '@noble/curves/secp256k1'
 import {
   Chain,
   createWalletClient,
@@ -67,7 +67,9 @@ export class EthereumStaker {
   static getAddressDerivationFn =
     () =>
     async (publicKey: Uint8Array): Promise<Array<string>> => {
-      const pkUncompressed = secp256k1.publicKeyConvert(publicKey, false)
+      // Convert public key to uncompressed format using @noble/curves
+      const point = secp256k1.Point.fromHex(publicKey)
+      const pkUncompressed = point.toBytes(false)
       const hash = keccak256(pkUncompressed.subarray(1))
       const ethAddress = hash.slice(-40)
       return [ethAddress]

packages/ethereum/src/staker.ts

@@ -36,7 +36,7 @@
   "dependencies": {
     "@chorus-one/signer": "^1.0.0",
     "@chorus-one/utils": "^1.0.2",
-    "secp256k1": "^5.0.0",
+    "@noble/curves": "^1.9.2",
     "viem": "^2.28.0",
     "zod": "^3.25.76"
   },