Security Vulnerability in crypto-js (GHSA-xwcq-pm8m-c4vf) #10650

cameron-brown-future · 2023-10-27T12:28:25Z

Type of issue

Dependency Update due to Security Vulnerability

A critical vulnerability has been found in the dependency crypto-js
Details can be seen here: GHSA-xwcq-pm8m-c4vf
This is causing npm audit to fail, with the suggested fix being to downgrade to prebid.js 1.27, which is not acceptable.

Run npm audit in a project with prebid.js installed via the package.json

npm audit should suggest a newer version of prebid.js with the vulnerable package updated

npm audit suggests a downgrade to prebid.js 1.27

Mac OS

The text was updated successfully, but these errors were encountered:

patmmccann · 2023-10-27T12:53:08Z

@allanjun or @osazos please take a look

patmmccann · 2023-10-27T13:14:33Z

Fixed

prebid-issue-tracker bot added this to Prebid.js Tactical Issues table Oct 27, 2023

github-project-automation bot moved this to Triage in Prebid.js Tactical Issues table Oct 27, 2023

patmmccann assigned allanjun Oct 27, 2023

patmmccann moved this from Triage to Ready for Dev in Prebid.js Tactical Issues table Oct 27, 2023

patmmccann mentioned this issue Oct 27, 2023

Bump crypto-js from 3.3.0 to 4.2.0 #10645

Merged

patmmccann closed this as completed Oct 27, 2023

github-project-automation bot moved this from Ready for Dev to Done in Prebid.js Tactical Issues table Oct 27, 2023