Critical security vulnerability due to crypto-js on v6.7.1

Question

Critical security vulnerability due to crypto-js on v6.7.1

elkinjosetm opened this issue 8 months ago · comments

What react-native version are you using?
0.72.5

What react-native-pdf version are you using?
6.7.1

What platform does your issue occur on? (android/ios/both)
both

Critical security vulnerability reported by dependabot because of crypto-js v3.2.0 used on this library. According to the report, it was patched on v4.2.0.

Bo Yuan · Answer 1 · Fri Oct 27 2023 18:50:31 GMT+0800 (China Standard Time)

Is there some updates about this security issue? it's encountered by us too.
thank you

Elkin Torres · Answer 2 · Fri Oct 27 2023 21:38:24 GMT+0800 (China Standard Time)

I had to force the newer version, in our package.json file, I did a few tests and the upgrade seems safe

bentleyAl · Answer 3 · Thu Nov 02 2023 23:45:52 GMT+0800 (China Standard Time)

@elkinjosetm how did you manage to do this?

Elkin Torres · Answer 4 · Fri Nov 03 2023 09:34:48 GMT+0800 (China Standard Time)

@bentleyAl by forcing pnpm (the package manager that we use) to use it. Yarn and npm provide a way for you to do just that.

# package.json
...
"pnpm": {
  "overrides": {
    "crypto-js": "^4.2.0"
  }
}

bentleyAl · Answer 5 · Fri Nov 03 2023 21:57:15 GMT+0800 (China Standard Time)

@elkinjosetm Worked like a charm! Was not aware of npm overrides. Thank you!

Abhi M · Answer 6 · Tue Nov 07 2023 11:04:55 GMT+0800 (China Standard Time)

If you are using Yarn, add "resolutions" in the package.json

# package.json
...
"resolutions": {
  "crypto-js": "^4.2.0"
},

wonday · Answer 7 · Sun Nov 19 2023 22:40:33 GMT+0800 (China Standard Time)

Have bump to 6.7.2 and included this update.

Sheriff Oladimeji · Answer 8 · Wed Feb 21 2024 22:19:54 GMT+0800 (China Standard Time)

@elkinjosetm Worked like a charm! Was not aware of npm overrides. Thank you!

How were you able to use in it in npm , still getting errors