fix: bump crypto-js to avoid critical vulnerability

wonday / react-native-pdf

A <Pdf /> component for react-native

MIT License

1.58k stars 534 forks source link

fix: bump crypto-js to avoid critical vulnerability #780

Closed IvanIhnatsiuk closed 8 months ago

IvanIhnatsiuk commented 9 months ago

Description

Snyk has informed us of a critical vulnerability in the crypto-js package, which is used in the react-native-pdf dependencies. In order to prevent this vulnerability I have updated crypto-js to the latest version.

For more details you can have a look at this snyk report:

https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119

Closes

https://github.com/wonday/react-native-pdf/issues/779

wonday commented 8 months ago

Thanks

jasongaare commented 8 months ago

@wonday could we get this published to npm?

arisyo13 commented 8 months ago

Any updates when are you going to release this to npm?

el173 commented 8 months ago

Hi @wonday highly appreciate it if you could make a npm release with this critical vulnerability fix soon. :)

Maker-Mark commented 7 months ago

Was this included in a stable release? I'm seeing my own odd issues popping up in tests using 6.7.2, that dont happen in 6.6.2. Ie https://github.com/wonday/react-native-pdf/issues/790

FYI, you can get this vulnerability update by providing override/resolutions in package.json so that the non-vulnerable version is used by npm/yarn installs

 "overrides": {
    "crypto-js": "^4.2.0"
  },
  "resolutions": {
    "crypto-js": "^4.2.0"
  },