Closed hmdevelopermind closed 9 months ago
@hamedminaee The browserify-sign dependencies package is always downloaded to the latest version because we don't specify any particular versions for the browserify-sign in package.json. Thus, there's no need to fix.
Thanks for the answer but we are using the latest ibm-cos-sdk and still we get that vulnerabilities so anyone in your team reached browserify-sign for the fix? do you have the github ticket for that?
another note is latest install of ibm-cos-sdk still install browserify-sign@4.2.1 └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── browserify-sign@4.2.1 but I see browserify-sign@4.2.2 is released so not sure why latest ibm-cos-sdk is not picking that one
@hamedminaee - Doing npm install ibm-cos-sdk (or uninstall and install) will solve this. Additionally, to confirm the installed version of browserify-sign by looking at package-lock.json or list.
That is what I did deleted package lock json uninstall and install ibm cos sdk and still I see └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── browserify-sign@4.2.1
Are you sure crypto-browserify is updated with latest browserify-sign? I do not see any browserify-sign@4.2.2 after installing latest ibm cos sdk
Supposed to be. I just did
thanks checked and it is fixed
Aqua and twistlock shows we are affected by high vulnerability because of
└─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── browserify-sign@4.2.1
https://nvd.nist.gov/vuln/detail/CVE-2023-46234
any timeline on when this will be fixed?