bls-signatures: **[Caution]** NPM package currently in public is unknown `0.2.5` version

The problem

If you install bls-signatures via npm install bls-signature, you will install bls-signatures of version 0.2.5, whose source code has not yet been published to this repository. https://www.npmjs.com/package/bls-signatures Maybe a developer built and published its private source code into the npm registry.

I cannot say it is untrusted because the one who published the 0.2.5 version of the npm package is one of the original authors.

But in the world of crypto currency, it requires extreme level of transparency. The npm package published to the npm registry should be synced to the source code publicly available by this repository.

Note

Anyone who wants to install the latest package including fixed js-typings which is recently committed, please go visit my forked repository.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 31 (6 by maintainers)

Most upvoted comments

And finally addressed by https://github.com/Chia-Network/bls-signatures/pull/335

+1
hoffmang9 on Jun 21, 2022
Read more comments on GitHub
← bladebit: Periodic panic when cuda plotting with 3.1.0-rc2
chia-blockchain: [BUG] Chia does not work with python 3.10 →