Open mauricewegner opened 10 months ago
Crypto-js is no longer maintained. we should update code to use native crypto https://www.npmjs.com/package/crypto-js
The release of 3.19.0
re-introduces this vulnerability as it downgraded the crypto-js library again (https://github.com/gocardless/gocardless-nodejs/commit/1e5ae78322c1bdb034ebba24594d1d5f659ed042)
A new release with #170 included would resolve this issue.
FYI PR https://github.com/gocardless/gocardless-nodejs/pull/174 just re-introduced crypto-js
CVE-2023-46233 (cve.org)
Affected versions <
4.2.0
It would be great if you could bump it.