Critical security vulnerability reported by dependabot because of crypto-js v4.1.1 being used as a dependency.

The issue is patched in v4.2.0.

More details here.

Note: crypto-js itself has been discontinued, with the recommendation to switch to the native Crypto module (via node, etc). But that can be a separate enhancement request if need be.

Released v2.40.1 with all upgraded dependencies.