Closed ricaragao closed 10 months ago
Yep, exactly right.
@revelt I'm using npm
. I removed the lockfile and ran npm install
, and npm audit
. After apply the patch, my tree of npm packages is without browserify-sign
. When I run npm ls
I got this error:
npm ERR! missing: browserify-sign@4.2.1, required by crypto-browserify@3.12.0
You shouldn’t be “applying a patch”. You should just do an npm install and then npm update browserify-sign
I did, but no effect to update the package and the vulnerability still there with audit.
What does npm explain browserify-sign
say?
Either way under no circumstances should anything need to be done except on your local machine, and you shouldn’t need to manually touch node_modules.
Result:
npm explain browserify-sign
browserify-sign@4.2.1 bundled
node_modules/meteor-node-stubs/node_modules/browserify-sign
browserify-sign@"^4.0.0" from crypto-browserify@3.12.0
node_modules/meteor-node-stubs/node_modules/crypto-browserify
bundled crypto-browserify@"^3.12.0" from meteor-node-stubs@1.2.5
node_modules/meteor-node-stubs
meteor-node-stubs@"^1.2.1" from the root project```
I didn't touch manually my node_modules.
See how it says “bundled”? Looks like meteor-node-stubs has screwed you, by bundling browserify-sign@4.2.1 instead of depending on it normally. File an issue with them.
Uhm... but I'm seeing they included crypto-browserify
package, not browserify-sign
directly. See the package.json:
https://github.com/meteor/meteor/blob/devel/npm-packages/meteor-node-stubs/package.json
Is it no right? And the crypto-browserify
should be updated?
@ljharb
You’re right, but they bundled it, so they’ll need to install the latest and republish to fix it.
This PR might be redundant; similar to what https://github.com/browserify/crypto-browserify/pull/196 was saying — the
package.json
of this library consumes thebrowserify-sign
under caret range, which means "latest compatible", in other words, highest release of the current major version.Practically, delete your lockfile, reinstall dependencies, generate new lockfile, run
yarn audit
and you'll see no warning. After wiping lockfile, myyarn why browserify-sign
reports=> Found "browserify-sign@4.2.2"
.Delete and rebuild the lockfile of your web application.