Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-48948 #95

Closed
cbelsole opened this issue Nov 21, 2024 · 5 comments
Closed

CVE-2024-48948 #95

cbelsole opened this issue Nov 21, 2024 · 5 comments

Comments

@cbelsole
Copy link

Elliptic 6.5.5 contains a security vulnerability. Can y'all update it to 6.6.0?
@ljharb
Copy link
Member

ljharb commented Nov 21, 2024

There’s no need, since we use a ^ semver range. You can just update your own lockfile.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Nov 21, 2024
@mlhDevelopment
Copy link

mlhDevelopment commented Nov 27, 2024
edited
Loading

Can you be more specific - are you saying that your supported course of action for your library users is to do one of the following?

Also, just for confirmation, you will keep "elliptic": "^6.5.5" as your dependency, meaning there is a supported configuration of your library that references an insecure dependency?

Sorry, we have to document these things for our security team.

seealso PR 94

@mlhDevelopment mlhDevelopment mentioned this issue Nov 27, 2024
Closed
@mlhDevelopment
Copy link

Created PR 96 which does not include the version bump.

@mlhDevelopment
Copy link

I get it now - npm audit fix resolves the issue. No PR needed.

@ljharb
Copy link
Member

ljharb commented Nov 27, 2024

You can even just npm update elliptic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @mlhDevelopment @cbelsole