fix(deps): upgrade pbkdf2 to 3.1.3 to fix predictable number generation CVEs#604
Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
Open
fix(deps): upgrade pbkdf2 to 3.1.3 to fix predictable number generation CVEs#604devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
Conversation
…on CVEs Upgrade pbkdf2 from 3.1.2 to ^3.1.3 to address: - CVE-2026-1863 (Predictable Number Generation, CVSS 9.1) - CVE-2026-1864 (Predictable Number Generation, CVSS 9.1) Changes: - Updated direct dependency from pinned 3.1.2 to ^3.1.3 - Added **/pbkdf2 resolution to ensure all transitive paths are upgraded - Updated yarn.lock to resolve pbkdf2 to 3.1.3 Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades the
pbkdf2dependency from pinned3.1.2to^3.1.3to remediate two critical CVEs:Changes
package.json: Updated direct dependency from"pbkdf2": "3.1.2"to"pbkdf2": "^3.1.3"package.json: Added"**/pbkdf2": "^3.1.3"toresolutionsto ensure all transitive paths are also upgradedyarn.lock: Updated resolved pbkdf2 version from 3.1.2 to 3.1.3Impact
app/core/Encryptor/pbkdf2.ts) usesreact-native-quick-cryptofor native PBKDF2 derivation and does not import thepbkdf2npm package directlypbkdf2npm package is consumed transitively by other crypto dependencies in the dependency treeReview & Testing Checklist for Human
yarn.lockresolves all pbkdf2 references to 3.1.3+ (runyarn why pbkdf2)Notes
yarn installcannot be run cleanly in this repo due to a pre-existing 404 on thereact-native-tcpGitHub tarball dependency (unrelated to this change). Theyarn.lockwas updated manually to resolve pbkdf2 to 3.1.3.pbkdf2@3.0.8entry in yarn.lock is a separate, older resolution used by legacyethereumjs-*packages and was not modified.Link to Devin session: https://app.devin.ai/sessions/b1020724d13d4c2fa1a2a771a56ca4f4
Requested by: @abhay-codeium
Devin Review