chore: Update sha.js version #1098

fusmanii · 2025-09-04T13:47:15Z

Vulnerability in sha.js <= 2.4.11 GHSA-95m3-7q98-8xr5

Signed-off-by: Faisal Usmani <[email protected]>

pxrl · 2025-09-04T14:26:26Z

package.json

-    "**/eth-crypto/secp256k1": "5.0.1"
+    "**/eth-crypto/secp256k1": "5.0.1",
+    "**/create-hash/sha.js": "2.4.12",
+    "sha.js": "2.4.12"


Do we know where this outdated version comes from? If it's in the uma repo we should probably go upstream and fix it there so we don't need to override the resolution.

It looks like its coming from ethereum-cryptography which ethereumjs-util depends on

we are at latest version of ethereumjs-util already, so I think we need the resolution until they patch on their end

fusmanii requested review from mrice32, nicholaspai, pxrl and bmzig as code owners September 4, 2025 13:47

chore: Update sha.js version

a82c50c

Signed-off-by: Faisal Usmani <[email protected]>

fusmanii force-pushed the faisal/update-sha-js branch from bd89e30 to a82c50c Compare September 4, 2025 14:04

nicholaspai approved these changes Sep 4, 2025

View reviewed changes

pxrl reviewed Sep 4, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: Update sha.js version #1098

chore: Update sha.js version #1098

Uh oh!

fusmanii commented Sep 4, 2025

Uh oh!

pxrl Sep 4, 2025

Uh oh!

fusmanii Sep 4, 2025

Uh oh!

fusmanii Sep 4, 2025

Uh oh!

Uh oh!

chore: Update sha.js version #1098

Are you sure you want to change the base?

chore: Update sha.js version #1098

Uh oh!

Conversation

fusmanii commented Sep 4, 2025

Uh oh!

pxrl Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

fusmanii Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

fusmanii Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!