Critical security vulnerability due to crypto-js dependency
stevehealy opened this issue · comments
Critical security vulnerability reported by dependabot because of crypto-js v4.1.1
being used as a dependency.
The issue is patched in v4.2.0
.
Note: crypto-js itself has been discontinued, with the recommendation to switch to the native Crypto
module (via node, etc). But that can be a separate enhancement request if need be.
Released v2.40.1 with all upgraded dependencies.