Today, Trail of Bits, a well-respected security research and auditing firm, has published a blog post outlining two vulnerabilities in elliptic, a widely used JavaScript cryptographic library.
After I read this, I took a look at the elliptic issue tracker. It’s a little sad and scary, at the same time. Sad because, this kind of neglect is almost certainly the result of the kind of burn-out that comes with maintaining popular open source software. Scary because some of the issues have been public for over a year, and still aren’t fixed.
Then I saw it has over 3000 dependent packages on npm!
I’m currently drafting/testing a virtual package that you can add to your package.json to replace elliptic with a shim library that uses noble-curves instead. GitHub - paulmillr/noble-curves: Audited & minimal JS implementation of elliptic curve cryptography.
Expect an update soon.
For sure, I always wonder what the next news story about “this thing everyone uses has been vulnerable for years” is going to be 
Wow that’s awesome! Keep us posted 
I cut an initial release today. I need to test it a bit more to make sure it shims the entire elliptic API, but I wrote an integration test that ensures it replaces elliptic as intended.
And, here’s a blog post about the shim library: Moving Beyond the NPM elliptic Package - Dhole Moments