Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update idtoken-verifier to 2.1.2 #1182

Merged
merged 1 commit into from
May 26, 2021
Merged

Update idtoken-verifier to 2.1.2 #1182

merged 1 commit into from
May 26, 2021

Conversation

stevehobbsdev
Copy link
Contributor

Changes

This PR updates to [email protected] to fix an issue in
[email protected] that requires a native Crypto module to be present. This
effectively reverts to [email protected] while we determine a long-term fix.

References

Fixes #1181

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage
  • This change adds integration test coverage

Checklist

@stevehobbsdev stevehobbsdev requested a review from a team as a code owner May 26, 2021 12:49
@stevehobbsdev stevehobbsdev added this to the v9.16.2 milestone May 26, 2021
@stevehobbsdev stevehobbsdev merged commit 23c2483 into master May 26, 2021
@stevehobbsdev stevehobbsdev deleted the deps/idtv branch May 26, 2021 12:53
@stevehobbsdev stevehobbsdev mentioned this pull request May 26, 2021
@MengRS
Copy link

MengRS commented Jun 15, 2021

I could be wrong, but the following states that crypto-js 3.3.0 is still vulnerable: https://snyk.io/vuln/SNYK-JS-CRYPTOJS-548472

@stevehobbsdev
Copy link
Contributor Author

stevehobbsdev commented Jun 16, 2021

@MengRS You would be correct. We cannot upgrade just yet as it has an adverse effect upstream and as mentioned in the PR, we are still determining the best course of action. However, we've done an internal security audit and we do not use any of the API in crypto-js that has been considered vulnerable; we're interested in upgrading more for the optics of using a dependency with published vulnerabilities.

Hope that helps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

can't resolve crypt module
3 participants