Please update elliptic depedency

[quophyie]

Hi, We depend on meteor-node-stubs for one of our projects. meteor-node-stubs seems to have a dependency on elliptic which according our security reports from snyk has a vulnerability so can you please update the elliptic dependency to a version newer elliptic than elliptic@6.4.0

Our security report is below

Vulnerable module: elliptic Introduced through: meteor-node-stubs@0.4.1

Detailed paths Introduced through: reaction@2.8.0 › meteor-node-stubs@0.4.1 › crypto-browserify@3.12.0 › create-ecdh@4.0.3 › elliptic@6.4.0

Remediation: Your dependencies are out of date, otherwise you would be using a newer elliptic than elliptic@6.4.0. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.

Introduced through: reaction@2.8.0 › meteor-node-stubs@0.4.1 › crypto-browserify@3.12.0 › browserify-sign@4.0.4 › elliptic@6.4.0 Remediation: Your dependencies are out of date, otherwise you would be using a newer elliptic than elliptic@6.4.0. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.

[Zertz]

If you're using Yarn, you can use selective dependency resolutions to update sub-dependencies.

[filipenevola]

Hi @quophyie as our direct dependencies are up-to-date I believe the best option is really to use selective dependency resolutions from Yarn.

[namirsab]

Are there any plans on bumping the top level dependencies here to avoid the selective dependency resolution workaround?

[Zertz]

The issue comes from unmaintained dependencies.

crypto-browserify and create-ecdh haven't been updated in years. There's a pull request to update elliptic which you may 👍 to show support.