search

wonday / react-native-pdf

A <Pdf /> component for react-native
MIT License
1.6k stars 557 forks source link

Critical security vulnerability due to crypto-js on v6.7.1 #779

Closed elkinjosetm closed 1 year ago

elkinjosetm commented 1 year ago

What react-native version are you using? 0.72.5

What react-native-pdf version are you using? 6.7.1

What platform does your issue occur on? (android/ios/both) both

Critical security vulnerability reported by dependabot because of crypto-js v3.2.0 used on this library. According to the report, it was patched on v4.2.0.

terryatgithub commented 1 year ago

Is there some updates about this security issue? it's encountered by us too. thank you

elkinjosetm commented 1 year ago

I had to force the newer version, in our package.json file, I did a few tests and the upgrade seems safe

bentleyAl commented 1 year ago

@elkinjosetm how did you manage to do this?

elkinjosetm commented 1 year ago

@bentleyAl by forcing pnpm (the package manager that we use) to use it. Yarn and npm provide a way for you to do just that.

# package.json
...
"pnpm": {
  "overrides": {
    "crypto-js": "^4.2.0"
  }
}
bentleyAl commented 1 year ago

@elkinjosetm Worked like a charm! Was not aware of npm overrides. Thank you!

AbhinayMe commented 1 year ago

If you are using Yarn, add "resolutions" in the package.json

# package.json
...
"resolutions": {
  "crypto-js": "^4.2.0"
},
wonday commented 1 year ago

Have bump to 6.7.2 and included this update.

Sheriff-Oladimeji commented 9 months ago

@elkinjosetm Worked like a charm! Was not aware of npm overrides. Thank you!

How were you able to use in it in npm , still getting errors