Security Vulnerability within pkce-challenge->crypto-js

[SargisPlusPlus]

It appears that pkce-challenge v3.0.0 uses crypto-js v4.1.1 Crypto-js v4.1.1 has known vulnerabilities

It appears that latest version of pkce-challenge addresses the vulnerabilities.

Please upgrade crypto-js or pkce-challenge to latest version

[anku255]

Hi @SargisPlusPlus,

Thanks for flagging this issue. After reviewing it:

1. pkce-challenge@3.0.0 relies on crypto-js: "^4.1.1." as a dependency, which should automatically update to crypto-js@4.2.0, fixing the vulnerability.

2. Additionally, pkce-challenge isn't directly impacted by the PBKDF2 vulnerability as it doesn't use it anywhere.

I will be closing this issue for now. Please reply if you have further questions.