Update crypto-browserify to latest

[digigarlab]

Description of changes:

Update crypto-browserify to 3.12.0.

The current version suffers of a severe vulnerability:

✗ High severity vulnerability found on [email protected]
- desc: Insecure Randomness
- info: https://snyk.io/vuln/npm:crypto-browserify:20140722

No regression should occur, even though I updated to 2 major version forward. Currently 3 functions of the lib are used:

• crypto.createHash is directly pulled from create-hash
• crypto.createHmac is directly pulled from create-hmac
• crypto.randomBytes is what we want to fix

Since there is no proper test suite in this project (npm test run eslint!), I had to resort to manual testing and it seems to work fine.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-io]

Codecov Report

Merging #309 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #309   +/-   ##
=======================================
  Coverage   87.28%   87.28%           
=======================================
  Files          72       72           
  Lines        3428     3428           
  Branches      652      652           
=======================================
  Hits         2992     2992           
  Misses        419      419           
  Partials       17       17

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dc95cd0...fde1380. Read the comment docs.

[richardzcode]

npm remove --save crypto-browserify
npm install --save [email protected]
npm run build

Got a bunch of these errors:

ERROR in ./~/browserify-sign/browser/algorithms.json
Module parse failed: /Users/.../aws-amplify/packages/amazon-cognito-identity-js/node_modules/browserify-sign/browser/algorithms.json Unexpected token (2:27)
You may need an appropriate loader to handle this file type.

[digigarlab]

@richardzcode I didn't get those errors in my branch but I can reproduce in the latest master.

Those are webpack errors that occur when running npm run build:umd.

A npm ls show that:

│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected]  deduped
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

[email protected] depends on [email protected], but [email protected] brings [email protected].
Now it seems that webpack is trying to read all files in ./node_modules/browserify-aes/modes/ (which is @1.1.1) instead of ./node_modules/webpack/node_modules/browserify-aes/modes/.

A workaround would be to add the json-loader to the webpack config, but the best solution is probably to upgrade webpack too.

[sunoru]

The update for crypto-browserify is really needed, or this may occur when using Webpack and UglifyJS along with aws-amplify: #546

[powerful23]

Closing this pr as the change has been merged.

[github-actions]

This pull request has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.