CVE-2024-48948

[cbelsole]

Elliptic 6.5.5 contains a security vulnerability. Can y'all update it to 6.6.0?

[ljharb]

There’s no need, since we use a ^ semver range. You can just update your own lockfile.

[mlhDevelopment]

Can you be more specific - are you saying that your supported course of action for your library users is to do one of the following?

• Regenerate the package-lock.json
  • Specifically, npm audit fix
• Manually edit the package-lock.json
• Add an "overrides" configuration to package.json to force a specific version of elliptic
• (or, obviously, use a forked version; it looks like these were updated, I'll include them for reference)
  • ahmedtausif/browserify-sign
  • sunsheeppoplar/browserify-sign
  • billcastle/browserify-sign

Also, just for confirmation, you will keep "elliptic": "^6.5.5" as your dependency, meaning there is a supported configuration of your library that references an insecure dependency?

Sorry, we have to document these things for our security team.

seealso PR 94

[mlhDevelopment]

Created PR 96 which does not include the version bump.

[mlhDevelopment]

I get it now - npm audit fix resolves the issue. No PR needed.

[ljharb]

You can even just npm update elliptic.