Vulnerable Outdated Packages being used by the BitGo library

[ShiftLefter]

Hi team,

Several BitGo library dependencies have severe security issues that haven't been fixed since a long time.

Please give us a remediation plan or upgrade them at the soonest. This can pose serious risks to companies like us who are relying on BitGo for transactions, and hence we implore you to take quick action regarding these, every Critical, High, and Medium severity vulnerabilities in BitGo dependencies, we recommend running npm audit and analysing how to upgrade them to latest versions.

For your reference:

Our security tooling has identified several critical vulnerabilities in Bitgo module dependencies such as:

• Arbitrary Code Execution through sanitize-html: https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-585892 ( you are using transformTags inside BitGo package)
• ReDoS via ansi-regex: https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
• Insecure Randomness via crypto-js: https://app.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472

Please let us know your remediation plans regarding them.

[GibsDev]

Good to see that this is still an issue.

[mmcshinsky-bitgo]

Hi @ShiftLefter. Thank you for your raised issue. We have a couple pending PRs that should see any current dependency vulnerabilities as reported per NPM/Github resolved. Upon resolution, they'll be added to our release candidates versions (rc) until the next official release of each given package.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.