This commit is contained in:
Paul Miller 2023-10-07 13:00:11 +00:00
parent b36bf44f4b
commit 45c7cb560d
No known key found for this signature in database
GPG Key ID: 697079DA6878B89B

@ -822,18 +822,15 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co
* **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures. * **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
* **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs * **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
* **Rare releasing** is followed to ensure less re-audit need for end-users * **Rare releasing** is followed to ensure less re-audit need for end-users
* **Dependencies** are minimal: * **Dependencies** are minimized and locked-down:
- All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff` - If your app has 500 dependencies, any dep could get hacked and you'll be downloading
- Updates themselves are rare, to ensure rogue updates are not catched accidentally malware with every install. We make sure to use as few dependencies as possible
- We prevent automatic dependency updates by locking-down version ranges. Every update is checked with `npm-diff`
- One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality - One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality
* **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users: * **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users:
- scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices - scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
- prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
Our goal is to minimize the amount of 3rd-party dependencies & native bindings.
If your app uses 500 dependencies, any dep could get hacked and you'll be
downloading malware with every install.
### Randomness ### Randomness
We're deferring to built-in We're deferring to built-in