fix: bump crypto-js to avoid critical vulnerability

wonday / react-native-pdf

A <Pdf /> component for react-native

MIT License

1.6k stars 557 forks source link

fix: bump crypto-js to avoid critical vulnerability #780

Closed IvanIhnatsiuk closed 1 year ago

IvanIhnatsiuk commented 1 year ago

Description

Snyk has informed us of a critical vulnerability in the crypto-js package, which is used in the react-native-pdf dependencies. In order to prevent this vulnerability I have updated crypto-js to the latest version.

For more details you can have a look at this snyk report:

https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119

Closes

https://github.com/wonday/react-native-pdf/issues/779

wonday commented 1 year ago

Thanks

jasongaare commented 1 year ago

@wonday could we get this published to npm?

arisyo13 commented 1 year ago

Any updates when are you going to release this to npm?

el173 commented 1 year ago

Hi @wonday highly appreciate it if you could make a npm release with this critical vulnerability fix soon. :)

Maker-Mark commented 11 months ago

Was this included in a stable release? I'm seeing my own odd issues popping up in tests using 6.7.2, that dont happen in 6.6.2. Ie https://github.com/wonday/react-native-pdf/issues/790

FYI, you can get this vulnerability update by providing override/resolutions in package.json so that the non-vulnerable version is used by npm/yarn installs

 "overrides": {
    "crypto-js": "^4.2.0"
  },
  "resolutions": {
    "crypto-js": "^4.2.0"
  },