Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump version for crypto-js to >= 4.0.0 (security issue) #1095

Closed
c-goetz opened this issue Mar 2, 2020 · 6 comments
Closed

Bump version for crypto-js to >= 4.0.0 (security issue) #1095

c-goetz opened this issue Mar 2, 2020 · 6 comments

Comments

@c-goetz
Copy link

c-goetz commented Mar 2, 2020

Bug Report

Pdfkit depends on crypto-js with the version qualifier "crypto-js": "^3.1.9-1",. This version is vulnerable to brix/crypto-js#254

Please bump the version to >= 4.0.0 and maybe remove the "^" from version. Crypto-js does not seem to use semantic versioning correctly.

Description of the problem

From reading the vulnerability report it may seem that updating to >= 3.2.1 is sufficient. But the fix
was later rolled back in 3.3.0 (see comment at end of brix/crypto-js#256)

Warning: this may break things on older browsers.

Thanks for your time and work on this library. Much appreciated.

Code sample

Your environment

  • pdfkit version:
  • Node version:
  • Browser version (if applicable):
  • Operating System:
@alliedgorn
Copy link

I'm having this problem with my company's vulnerability scanner. Is there anything I can help to get this through?

@JavaZava
Copy link

JavaZava commented Apr 9, 2021
edited
Loading

@c-goetz I am dealing with this issue, but we were able to side step it by regenerating the package-lock.json file

As you correctly state, this package requires "crypto-js": "^3.1.9-1" which is affected by a big vulnerability. However, it was patched in version 3.2.1.

By recreating the package-lock.json file, npm should download the latest compatible library (minor update) which is 3.3.0 at the time of writing.

This is what we did on our side, and Snyk (the service we use to review these issues) stopped complaining about this vulnerability.

@blikblum
Copy link
Member

I updated to 3.3 than realized that is same as 3.1.

Upgrading to 4.0 seems straightforward. The drop of IE10 should not be a problem, but will affect also react native (which i don't know if currently works).

@c-goetz
Copy link
Author

c-goetz commented Apr 19, 2021

@JavaZava, as @blikblum mentioned 3.3.0 is basically 3.1.9-1 and thus also vulnerable. I just reported that to Snyk, so your vulnerability scanner should also pick it up soon.
Our current solution to this problem is to exclude the transitive dependency on crypto-js and patch out every usage of it from our direct dependencies.
This seems more feasible than my original plan to report the vulnerability along our dependency chain.

@dionfoster dionfoster mentioned this issue May 28, 2021
Closed
4 tasks
@liborm85
Copy link
Collaborator

liborm85 commented Jul 7, 2021

https://app.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472 say:

Remediation
Upgrade crypto-js to version 4.0.0, 3.2.1 or higher.

Because pdfkit 0.12.1 uses crypto-js version 3.3.0 it should be safe version. Is not possible upgrade to 4.0.0, because pdfkit works in React native.

In https://github.com/brix/crypto-js changelog is critical bug only in version 3.2.0 others are without vulnerable.

@blikblum blikblum mentioned this issue Jul 8, 2021
Closed
@blikblum
Copy link
Member

blikblum commented Aug 1, 2021

Done in 0.12.3

@blikblum blikblum closed this as completed Aug 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alliedgorn @liborm85 @blikblum @JavaZava @c-goetz