GHSA-3w3w-pxmm-2w2j: 3.3.0 should be in affected versions, not unaffected

The current affected range (`< 3.2.1`) implicitly marks `3.3.0` as unaffected. It is not.
 
Version 3.3.0 was published on 2020-02-12 as an explicit rollback to the 3.1.9-1 codebase. The npm release notes state: "3.3.0 is the same as 3.1.9-1." The `Math.random()`-based RNG that the advisory describes as insecure is present and identical in 3.3.0.
 
References
 
- npm release notes: https://www.npmjs.com/package/crypto-js (3.3.0 entry)
- Rollback tag: https://github.com/brix/crypto-js/releases/tag/3.3.0
- Advisory JSON: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-3w3w-pxmm-2w2j/GHSA-3w3w-pxmm-2w2j.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GHSA-3w3w-pxmm-2w2j: 3.3.0 should be in affected versions, not unaffected #7176

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

GHSA-3w3w-pxmm-2w2j: 3.3.0 should be in affected versions, not unaffected #7176

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions