rameshvr
commented
10 months ago Crypto-js is no longer maintained. we should update code to use native crypto https://www.npmjs.com/package/crypto-js
Open mauricewegner opened 10 months ago
rameshvr
commented
10 months ago Crypto-js is no longer maintained. we should update code to use native crypto https://www.npmjs.com/package/crypto-js
mauricewegner
commented
10 months ago mauricewegner
commented
9 months ago The release of 3.19.0 re-introduces this vulnerability as it downgraded the crypto-js library again (https://github.com/gocardless/gocardless-nodejs/commit/1e5ae78322c1bdb034ebba24594d1d5f659ed042)
A new release with #170 included would resolve this issue.
SteveOfficerSeccl
commented
7 months ago FYI PR https://github.com/gocardless/gocardless-nodejs/pull/174 just re-introduced crypto-js
CVE-2023-46233 (cve.org)
Affected versions <
4.2.0It would be great if you could bump it.