chore: bump ethereum-cryptography, @ethereumjs/util

[legobeat]

No description provided.

[mcmire]

@legobeat Are there any consequences for bumping these packages? Is this just to make sure we're up to date, or is there an issue that this fixes?

[legobeat]

@mcmire intention with prefixing it as chore here is to indicate that it's a regular maintenance update :) should be no breaking changes.
Main motivation is pulling in bugfixes for cryptography libraries and consolidating dependency versions downstream.

[Mrtenz]

should be no breaking changes.

@ethereumjs/util now uses @chainsafe/as-sha256 which uses WASM, so it doesn't work in all environments.

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

👍 No new dependency issues detected in pull request

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

Pull request alert summary

Issue	Status
Install scripts	✅ 0 issues
Native code	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

---

📊 Modified Dependency Overview:

🚮 Removed packages: ethereum-cryptography@1.2.0

[legobeat]

should be no breaking changes.

@ethereumjs/util now uses @chainsafe/as-sha256 which uses WASM, so it doesn't work in all environments.

changed this PR to an smaller upgrade to 8.0.3, which does not depend on ssz.

For updates on getting in line with upstream and further context:
ChainSafe/ssz#318
ethereumjs/ethereumjs-monorepo#2648

[mcmire]

Good call @Mrtenz.

While we're on the subject, this looks to be the comparison between ethereum-cryptography 1.1.2 and 1.2.0: ethereum/js-ethereum-cryptography@c434a5f...0cf402c (no tags for these releases, unfortunately, and no changelog either). I'm not spotting anything that could cause any issues, but I'm also not an subject matter expert on this.

[FrederikBolding]

@mcmire @legobeat I think we should just hold off for a second on this PR and bump to the versions released here: ethereumjs/ethereumjs-monorepo#2648

I have an open PR here that will most likely be included to fix any incompatibilities with the extension: ethereumjs/ethereumjs-monorepo#2656

Then we should probably also bump utils etc which is currently bringing in the WASM dependency.

[Mrtenz]

@chainsafe/as-sha256 is still added in yarn.lock. Is this no longer used?

[legobeat]

@chainsafe/as-sha256 is still added in yarn.lock. Is this no longer used?

The way I understand this is that yes, it's still pulled in, but WASM parts are now dead code depending on platform. rf https://github.com/MetaMask/utils/pull/100/files

[FrederikBolding]

@chainsafe/as-sha256 is still added in yarn.lock. Is this no longer used?

It is available, but needs to be enabled to be used. By default it will use noble