ethers-gcp-kms-signer - npm Package Compare versions

Comparing version 1.1.4 to 1.1.5

CHANGELOG.md

@@ -0,1 +1,8 @@
+## [1.1.5](https://github.com/openlawteam/ethers-gcp-kms-signer/compare/v1.1.4...v1.1.5) (2022-11-15)
+
+
+### fix
+
+* read gcreds from env var ([7fcc05d](https://github.com/openlawteam/ethers-gcp-kms-signer/commit/7fcc05d79e4d06bda0920dcc785e0560cd7d2835))
+
 ## [1.1.4](https://github.com/openlawteam/ethers-gcp-kms-signer/compare/v1.1.3...v1.1.4) (2022-10-31)
@@ -2,0 +9,0 @@

dist/util/gcp-kms-utils.js

@@ -41,2 +41,11 @@ "use strict";
 /* eslint-enable func-names */
+
+function getClientCredentials() {
+  return process.env.GOOGLE_APPLICATION_CREDENTIAL_EMAIL && process.env.GOOGLE_APPLICATION_CREDENTIAL_PRIVATE_KEY ? {
+    credentials: {
+      client_email: process.env.GOOGLE_APPLICATION_CREDENTIAL_EMAIL,
+      private_key: process.env.GOOGLE_APPLICATION_CREDENTIAL_PRIVATE_KEY
+    }
+  } : {};
+}
 function sign(_x, _x2) {
@@ -47,3 +56,3 @@ return _sign.apply(this, arguments);
   _sign = _asyncToGenerator(function* (digest, kmsCredentials) {
-    const kms = new _kms.KeyManagementServiceClient();
+    const kms = new _kms.KeyManagementServiceClient(getClientCredentials());
     const versionName = kms.cryptoKeyVersionPath(kmsCredentials.projectId, kmsCredentials.locationId, kmsCredentials.keyRingId, kmsCredentials.keyId, kmsCredentials.keyVersion);
@@ -64,3 +73,3 @@ const _yield$kms$asymmetric = yield kms.asymmetricSign({
   var _ref = _asyncToGenerator(function* (kmsCredentials) {
-    const kms = new _kms.KeyManagementServiceClient();
+    const kms = new _kms.KeyManagementServiceClient(getClientCredentials());
     const versionName = kms.cryptoKeyVersionPath(kmsCredentials.projectId, kmsCredentials.locationId, kmsCredentials.keyRingId, kmsCredentials.keyId, kmsCredentials.keyVersion);
@@ -67,0 +76,0 @@ const _yield$kms$getPublicK = yield kms.getPublicKey({

package.json

 {
   "name": "ethers-gcp-kms-signer",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "description": "An Ethers.js compatible signer that connects to GCP KMS",
@@ -5,0 +5,0 @@ "main": "dist/signer.js",

src/util/gcp-kms-utils.ts

@@ -24,4 +24,15 @@ import { ethers } from "ethers";
 
+function getClientCredentials() {
+  return process.env.GOOGLE_APPLICATION_CREDENTIAL_EMAIL && process.env.GOOGLE_APPLICATION_CREDENTIAL_PRIVATE_KEY
+    ? {
+        credentials: {
+          client_email: process.env.GOOGLE_APPLICATION_CREDENTIAL_EMAIL,
+          private_key: process.env.GOOGLE_APPLICATION_CREDENTIAL_PRIVATE_KEY,
+        },
+      }
+    : {};
+}
+
 export async function sign(digest: Buffer, kmsCredentials: GcpKmsSignerCredentials) {
-  const kms = new KeyManagementServiceClient();
+  const kms = new KeyManagementServiceClient(getClientCredentials());
   const versionName = kms.cryptoKeyVersionPath(
@@ -44,3 +55,3 @@ kmsCredentials.projectId,
 export const getPublicKey = async (kmsCredentials: GcpKmsSignerCredentials) => {
-  const kms = new KeyManagementServiceClient();
+  const kms = new KeyManagementServiceClient(getClientCredentials());
   const versionName = kms.cryptoKeyVersionPath(
@@ -47,0 +58,0 @@ kmsCredentials.projectId,

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 2 instances in 1 package

Improved metrics

Total package byte prevSize

55609

increased by1.9%

Lines of code

956

increased by1.92%

Worsened metrics

Number of low supply chain risk alerts

4

increased byInfinity%

No dependency changes