Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Bump version for crypto-js to >= 4.0.0 (security issue)
See original GitHub issueBug Report
Pdfkit depends on crypto-js with the version qualifier "crypto-js": "^3.1.9-1",. This version is vulnerable to https://github.com/brix/crypto-js/issues/254
Please bump the version to >= 4.0.0 and maybe remove the “^” from version. Crypto-js does not seem to use semantic versioning correctly.
Description of the problem
From reading the vulnerability report it may seem that updating to >= 3.2.1 is sufficient. But the fix was later rolled back in 3.3.0 (see comment at end of https://github.com/brix/crypto-js/issues/256)
Warning: this may break things on older browsers.
Thanks for your time and work on this library. Much appreciated.
Code sample
Your environment
- pdfkit version:
- Node version:
- Browser version (if applicable):
- Operating System:
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Done in 0.12.3
https://app.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472 say:
Because pdfkit 0.12.1 uses crypto-js version 3.3.0 it should be safe version. Is not possible upgrade to 4.0.0, because pdfkit works in React native.
In https://github.com/brix/crypto-js changelog is critical bug only in version 3.2.0 others are without vulnerable.