Remove `@ethersproject/abi` Dependency #6284

pcaversaccio · 2025-02-14T11:18:04Z

In hardhat you have multiple dependencies on @ethersproject/abi, e.g.:

hardhat/packages/hardhat-core/package.json

Line 101 in dd19b66

"@ethersproject/abi": "^5.1.2",
hardhat/packages/hardhat-verify/package.json

Line 42 in dd19b66

"@ethersproject/abi": "^5.1.2",

Due to that dependency, you still have to rely on the old elliptic and vulnerable version GHSA-vjh7-7g9h-fjfh through ethers sub-dependency on @ethersproject/signing-key. The TL;DR is that if wallets strictly follow RFC-6979 (nonces are derived deterministically from the hashed message) and doesn't allow custom nonce injection, everything should be safe. In any case, it would be nice to remove this dependency and switch over to ethers v6 if possible. Thoughts?

The text was updated successfully, but these errors were encountered:

kanej · 2025-02-14T15:09:40Z

Thanks for bringing this up. We should switch to the newer version.

github-actions bot assigned galargh Feb 14, 2025

github-actions bot added the status:triaging label Feb 14, 2025

fvictorio added this to Hardhat Feb 14, 2025

github-project-automation bot moved this to Backlog in Hardhat Feb 14, 2025

kanej added status:ready This issue is ready to be worked on and removed status:triaging labels Feb 14, 2025

kanej assigned schaable and unassigned galargh Feb 14, 2025

kanej moved this from Backlog to To-do in Hardhat Feb 14, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove `@ethersproject/abi` Dependency #6284

Remove `@ethersproject/abi` Dependency #6284

pcaversaccio commented Feb 14, 2025

kanej commented Feb 14, 2025

Remove @ethersproject/abi Dependency #6284

Remove @ethersproject/abi Dependency #6284

Comments

pcaversaccio commented Feb 14, 2025

kanej commented Feb 14, 2025

Remove `@ethersproject/abi` Dependency #6284

Remove `@ethersproject/abi` Dependency #6284