Security vulnerability in browserify-sign

browserify / crypto-browserify

partial implementation of node's `crypto` for the browser

MIT License

653 stars 199 forks source link

Security vulnerability in browserify-sign #192

Closed mikaelharsjo closed 3 years ago

mikaelharsjo commented 4 years ago

The 4.0.0 version of browserify-sign depends on a version elliptic that has a vulnerability. You should update it too 4.2.1.

sarimarton commented 3 years ago

Can we move this forward? It blocks me in an enterprise env, where snyk spots this issue.

calvinmetcalf commented 3 years ago

delete your package-lock or yarn-lock and reinstall, this project calls for ^4.0.0 which means >= 4.0.0 && <5.0.0 so it should use the latest version of browserify-sign

sarimarton commented 3 years ago

Thanks, indeed it solved the problem. (I guess this issue can be closed then.)