Update browserify-sign - Githubissues

browserify / crypto-browserify

partial implementation of node's `crypto` for the browser

MIT License

653 stars 199 forks source link

Update browserify-sign #226

Closed ricaragao closed 10 months ago

revelt commented 10 months ago

This PR might be redundant; similar to what https://github.com/browserify/crypto-browserify/pull/196 was saying — the package.json of this library consumes the browserify-sign under caret range, which means "latest compatible", in other words, highest release of the current major version.

Practically, delete your lockfile, reinstall dependencies, generate new lockfile, run yarn audit and you'll see no warning. After wiping lockfile, my yarn why browserify-sign reports => Found "browserify-sign@4.2.2".

Delete and rebuild the lockfile of your web application.

ljharb commented 10 months ago

Yep, exactly right.

ricaragao commented 10 months ago

@revelt I'm using npm. I removed the lockfile and ran npm install, and npm audit. After apply the patch, my tree of npm packages is without browserify-sign. When I run npm ls I got this error:

npm ERR! missing: browserify-sign@4.2.1, required by crypto-browserify@3.12.0

ljharb commented 10 months ago

You shouldn’t be “applying a patch”. You should just do an npm install and then npm update browserify-sign

ricaragao commented 10 months ago

I did, but no effect to update the package and the vulnerability still there with audit.

ljharb commented 10 months ago

What does npm explain browserify-sign say?

Either way under no circumstances should anything need to be done except on your local machine, and you shouldn’t need to manually touch node_modules.

ricaragao commented 10 months ago

Result: npm explain browserify-sign


browserify-sign@4.2.1 bundled
node_modules/meteor-node-stubs/node_modules/browserify-sign
  browserify-sign@"^4.0.0" from crypto-browserify@3.12.0
  node_modules/meteor-node-stubs/node_modules/crypto-browserify
    bundled crypto-browserify@"^3.12.0" from meteor-node-stubs@1.2.5
    node_modules/meteor-node-stubs
      meteor-node-stubs@"^1.2.1" from the root project```

ricaragao commented 10 months ago

I didn't touch manually my node_modules.

ljharb commented 10 months ago

See how it says “bundled”? Looks like meteor-node-stubs has screwed you, by bundling browserify-sign@4.2.1 instead of depending on it normally. File an issue with them.

ricaragao commented 10 months ago

Uhm... but I'm seeing they included crypto-browserify package, not browserify-sign directly. See the package.json:

https://github.com/meteor/meteor/blob/devel/npm-packages/meteor-node-stubs/package.json

ricaragao commented 10 months ago

Is it no right? And the crypto-browserify should be updated?

@ljharb

ljharb commented 10 months ago

You’re right, but they bundled it, so they’ll need to install the latest and republish to fix it.