Dependency conflict: kornrunner/secp256k1 requires vulnerable mdanter/ecc v1

[sajaddp]

Hi,

I’m trying to install fenguoz/tron-api version 1.1.0, but Composer blocks the installation because one of its transitive dependencies depends on a package affected by security advisories.

Problem

fenguoz/tron-api requires:

"kornrunner/secp256k1": "^0.2"

That resolves to:

kornrunner/secp256k1 0.2.0

But kornrunner/secp256k1 0.2.0 requires:

mdanter/ecc ^1

Composer refuses to install mdanter/ecc v1.0.0 because it is affected by security advisories:

PKSA-j43q-24zh-tyzv
PKSA-36gf-zqdd-tq5m

Composer error

Problem 1
  - Root composer.json requires fenguoz/tron-api 1.1.0 -> satisfiable by fenguoz/tron-api[1.1.0].
  - fenguoz/tron-api 1.1.0 requires kornrunner/secp256k1 ^0.2 -> satisfiable by kornrunner/secp256k1[0.2.0].
  - kornrunner/secp256k1 0.2.0 requires mdanter/ecc ^1 -> found mdanter/ecc[v1.0.0] but these were not loaded, because they are affected by security advisories ("PKSA-j43q-24zh-tyzv", "PKSA-36gf-zqdd-tq5m").

Expected behavior

The package should be installable without requiring dependencies affected by known security advisories.

Suggested fix

Please consider upgrading or replacing the dependency chain that currently requires:

kornrunner/secp256k1 ^0.2

Possible options may include:

• upgrading kornrunner/secp256k1 if a newer secure version is compatible
• replacing the secp256k1 implementation with a maintained alternative
• updating composer.json constraints to avoid vulnerable mdanter/ecc versions

Environment

Package: fenguoz/tron-api
Version: 1.1.0
Package manager: Composer

Thanks.