2021-01-26 20:32:00 +01:00
# FAQ
## Too much nodejs dependencies! Who audits all of that?
We do. Really, when we bump deps we glance over the diff, and all versions are
2021-10-01 22:42:46 +02:00
pinned. Also, we use paid audit solution https://snyk.io which is specifically
2021-01-26 20:32:00 +01:00
designed to keep an eye on deps.
2021-10-01 22:42:46 +02:00
And yes, we have too many of them, and PRs cutting deps are welcome
2021-01-26 20:32:00 +01:00
(see https://github.com/BlueWallet/BlueWallet/blob/master/CONTRIBUTING.md)
2021-10-01 22:42:46 +02:00
Also, really risky dependencies (like, from not-reputable/anonymous maintainers)
2021-01-26 20:32:00 +01:00
we fork and use under our organization, and when we update them from upstream (rarely)
we do review the code
2021-10-01 22:42:46 +02:00
## Does BlueWallet download the Bitcoin Headers? I see no place you call blockchain.block.headers so I'm wondering how do you guys deal with the headers? How can you make sure you follow the correct chain in order to make sure you're spending a confirmed UTXO?
2021-01-26 20:32:00 +01:00
The idea is that by default BW doesn’ t use public electrum servers, only
2021-10-01 22:42:46 +02:00
ones hosted by BlueWallet, so they are kinda trusted. And end-user has an
option to change Electrum server to something he provides, so he knows what
he is doing and trusts his own electrum server.
2021-01-26 20:32:00 +01:00
We would definitely need proper SPV verification if we used random
electrum server every time from a pool of public servers.