Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

One of the nested dependencies "elliptic" has security vulnerability #381

Closed
tanmayghosh2507 opened this issue Jun 9, 2020 · 1 comment
Closed

One of the nested dependencies "elliptic" has security vulnerability #381

tanmayghosh2507 opened this issue Jun 9, 2020 · 1 comment
Labels
enhancement

Comments

@tanmayghosh2507
Copy link

The karma-typescript package has been flagged in my organization's compliance report since the elliptic npm package that it uses, is not recommended.

Description Provided: all versions of elliptic are vulnerable to Timing Attack through side-channels.

Hence wondering, if there is any plan to fix the vulnerability.
@erikbarke
Copy link
Collaborator

This is a tough one, since elliptic is a sub dependency:

[email protected]
└─┬ [email protected]
  ├─┬ [email protected]
    └── [email protected]

And the elliptic dev seems to be aware of the issue but has no plans to fix it: indutny/elliptic#128.

Removing the crypto-browserify isn't feasible, it would break a lot of backwards compatibility, and alternatives like brix/crypto-jsseems to have the same vulnerability: brix/crypto-js#88 😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erikbarke @tanmayghosh2507