jkomyno
commented
5 years ago +1 on this. The same security issue pops up when running the audit command using either npm or yarn.
More info here.
Open david-nossebro opened 6 years ago
jkomyno
commented
5 years ago +1 on this. The same security issue pops up when running the audit command using either npm or yarn.
More info here.
CameronJ26
commented
5 years ago Any movement on this? This is still an issue.
david-nossebro
commented
4 years ago I made a fix for it here: https://github.com/auth0/passport-wsfed-saml2/pull/102
It got stuck in the review process.
In the current version of Passport, Cryptiles version 0.2.2 is used. This version of Cryptiles contains a security issue mentioned here: https://github.com/hapijs/cryptiles/issues/34
In my project we use the tool "Black Duck Scan" which flaggs this as a critical issue.
This issue is fixed in version 4.1.2 of Cryptiles according to this page: https://nvd.nist.gov/vuln/detail/CVE-2018-1000620