fix: update sha.js to ^2.4.12 to address CVE-2025-9288#33
fix: update sha.js to ^2.4.12 to address CVE-2025-9288#33fglsn wants to merge 1 commit intobrowserify:masterfrom
Conversation
fglsn
commented
Aug 22, 2025
fglsn
commented
- Bumps sha.js from ^2.4.11 to ^2.4.12
- Fixes security vulnerability where missing input type checks could lead to hash state rewind and value miscalculation
- CVE-2025-9288: GHSA-95m3-7q98-8xr5
- Bumps sha.js from ^2.4.11 to ^2.4.12 - Fixes security vulnerability where missing input type checks could lead to hash state rewind and value miscalculation - CVE-2025-9288: GHSA-95m3-7q98-8xr5
|
There is never a need for PRs like this - all you need to do is update your lockfile. |
|
Is it not useful to have these updates in place for when a new version should be released? |
|
Nope! not at all. Whenever I do a new release, I always update deps beforehand. It's basically never helpful for a non-maintainer to update in-range dependencies, on any open source project. |
Sorry for the noise then. The issue is most users get this transitively through other packages, so they can't control the We'll handle it with overrides on our end. |
|
You shouldn't need overrides - |
3 participants
