createHmac icon indicating copy to clipboard operation
createHmac copied to clipboard
verified publisher icon browserify

fix: update sha.js to ^2.4.12 to address CVE-2025-9288

Open fglsn opened this issue 4 months ago • 2 comments

  • Bumps sha.js from ^2.4.8 to ^2.4.12
  • Fixes security vulnerability where missing input type checks could lead to hash state rewind and value miscalculation
  • CVE-2025-9288: https://github.com/advisories/GHSA-95m3-7q98-8xr5

fglsn avatar Aug 22 '25 10:08 fglsn

lockfile is unrelated also this change doesn't improve anything but causes extra churn

ChALkeR avatar Aug 22 '25 22:08 ChALkeR

lockfile is unrelated

Thanks for the comment. Lockfile addition was accidental, removed it.

also this change doesn't improve anything but causes extra churn

Fair enough on the churn. The issue is most users get this transitively through other packages, so can't control the sha.js version directly. Lockfiles will stick with vulnerable 2.4.11 without this change. The idea behind this was that new installations would get the secure version by default.

But understood if you prefer to keep it as-is. We are handling this with overrides on our end.

fglsn avatar Aug 25 '25 15:08 fglsn