Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove discontinued crypto-js package #2608

Merged
merged 1 commit into from
Feb 26, 2025
Merged

Remove discontinued crypto-js package #2608

merged 1 commit into from
Feb 26, 2025

Conversation

lhw-1
Copy link
Contributor

@lhw-1 lhw-1 commented Feb 20, 2025
edited
Loading

What is the purpose of this pull request?

  • Documentation update
  • Bug fix
  • Feature addition or enhancement
  • Code maintenance
  • DevOps
  • Improve developer experience
  • Others, please explain:

Partially addresses #2607.

Overview of changes:

As brought up with #2607, there are several npm vulnerabilities we could take a look at and potentially address.

This PR resolves the critical vulnerability caused by the crypto-js package in particular (mainly because it stands out as the only critical vulnerability).

image

Anything you'd like to highlight/discuss:

We started using the native crypto module in Node.js in #113, for the markdown-it radio buttons.

After PlantUML was introduced as a plugin, we started using crypto-js instead of the crypto module in #1403, which was a massive PR (and likely was overlooked). Since then, the crypto-js package was discontinued, and the npm package webpage even directly suggests using the native crypto module instead.

The vulnerability introduced by crypto-js is as seen here.

cryptojswarning

Given the use case for crypto-js in MarkBind was just for generating MD5 hashes in the PlantUML plugin (where security is not really a huge concern), it is not a critical issue on our end. Still, keeping the standard consistent and removing the scary critical keyword, in my opinion, is still a worthwhile improvement.

This PR simply removes the package and replaces the usage of crypto-js for MD5 hashes with that of the native crypto module.

Testing instructions:

Proposed commit message: (wrap lines at 72 characters)
Remove discontinued crypto-js package

Checklist: ☑️

  • Updated the documentation for feature additions and enhancements
  • Added tests for bug fixes or features
  • Linked all related issues
  • No unrelated changes

Reviewer checklist:

Indicate the SEMVER impact of the PR:

  • Major (when you make incompatible API changes)
  • Minor (when you add functionality in a backward compatible manner)
  • Patch (when you make backward compatible bug fixes)

At the end of the review, please label the PR with the appropriate label: r.Major, r.Minor, r.Patch.

Breaking change release note preparation (if applicable):

  • To be included in the release note for any feature that is made obsolete/breaking

Give a brief explanation note about:

  • what was the old feature that was made obsolete
  • any replacement feature (if any), and
  • how the author should modify his website to migrate from the old feature to the replacement feature (if possible).

@lhw-1 lhw-1 added the r.Patch Version resolver: increment by 0.0.1 label Feb 20, 2025
kaixin-hc
kaixin-hc approved these changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@kaixin-hc kaixin-hc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea & lgtm, verified netlify deployment still works as expected. thanks!

@lhw-1 lhw-1 merged commit 2cadb78 into MarkBind:master Feb 26, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaixin-hc kaixin-hc kaixin-hc approved these changes

Assignees
No one assigned
Labels
r.Patch Version resolver: increment by 0.0.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lhw-1 @kaixin-hc