Aqua and twistlock shows we are affected by high vulnerability because of browserify-sign@4.2.1

[hmdevelopermind]

Aqua and twistlock shows we are affected by high vulnerability because of

└─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── browserify-sign@4.2.1

https://nvd.nist.gov/vuln/detail/CVE-2023-46234

any timeline on when this will be fixed?

[IBM-diksha]

@hamedminaee The browserify-sign dependencies package is always downloaded to the latest version because we don't specify any particular versions for the browserify-sign in package.json. Thus, there's no need to fix.

[hmdevelopermind]

Thanks for the answer but we are using the latest ibm-cos-sdk and still we get that vulnerabilities so anyone in your team reached browserify-sign for the fix? do you have the github ticket for that?

another note is latest install of ibm-cos-sdk still install browserify-sign@4.2.1 └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── browserify-sign@4.2.1 but I see browserify-sign@4.2.2 is released so not sure why latest ibm-cos-sdk is not picking that one

[IBMalok]

@hamedminaee - Doing npm install ibm-cos-sdk (or uninstall and install) will solve this. Additionally, to confirm the installed version of browserify-sign by looking at package-lock.json or list.

[hmdevelopermind]

That is what I did deleted package lock json uninstall and install ibm cos sdk and still I see └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── └─┬ ibm-cos-sdk@1.13.2 └─┬ crypto-browserify@3.12.0 └── browserify-sign@4.2.1

Are you sure crypto-browserify is updated with latest browserify-sign? I do not see any browserify-sign@4.2.2 after installing latest ibm cos sdk

[IBMalok]

Supposed to be. I just did

[hmdevelopermind]

thanks checked and it is fixed