Critical Vulnerability in crypto-js dependency

bpampuch / pdfmake

Client/server side PDF printing in pure JavaScript

http://pdfmake.org

Other

11.4k stars 2.02k forks source link

Critical Vulnerability in crypto-js dependency #2698

Closed wakasupi closed 3 months ago

wakasupi commented 3 months ago

Hi, In October 2023 a Critical vulnerability was discovered in crypto-js which is a dependency of your pdfkit fork: https://github.com/foliojs-fork/pdfkit

npm audit: crypto-js <4.2.0 Severity: critical crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard - https://github.com/advisories/GHSA-xwcq-pm8m-c4vf

liborm85 commented 3 months ago

crypto-js 4.2.0 is fixed version. pdfkit 0.14.0 using crypto-js version 4.2.0.