From 45c7cb560d8c62bbbe8ea6ece48f0ac7c9c7296a Mon Sep 17 00:00:00 2001 From: Paul Miller Date: Sat, 7 Oct 2023 13:00:11 +0000 Subject: [PATCH] readme --- README.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4aff66a..4924374 100644 --- a/README.md +++ b/README.md @@ -822,18 +822,15 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co * **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures. * **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs * **Rare releasing** is followed to ensure less re-audit need for end-users -* **Dependencies** are minimal: - - All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff` - - Updates themselves are rare, to ensure rogue updates are not catched accidentally +* **Dependencies** are minimized and locked-down: + - If your app has 500 dependencies, any dep could get hacked and you'll be downloading + malware with every install. We make sure to use as few dependencies as possible + - We prevent automatic dependency updates by locking-down version ranges. Every update is checked with `npm-diff` - One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality * **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users: - scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully -Our goal is to minimize the amount of 3rd-party dependencies & native bindings. -If your app uses 500 dependencies, any dep could get hacked and you'll be -downloading malware with every install. - ### Randomness We're deferring to built-in