Open david-nossebro opened 6 years ago
+1 on this. The same security issue pops up when running the audit
command using either npm
or yarn
.
More info here.
Any movement on this? This is still an issue.
I made a fix for it here: https://github.com/auth0/passport-wsfed-saml2/pull/102
It got stuck in the review process.
In the current version of Passport, Cryptiles version 0.2.2 is used. This version of Cryptiles contains a security issue mentioned here: https://github.com/hapijs/cryptiles/issues/34
In my project we use the tool "Black Duck Scan" which flaggs this as a critical issue.
This issue is fixed in version 4.1.2 of Cryptiles according to this page: https://nvd.nist.gov/vuln/detail/CVE-2018-1000620