You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The library crypto-browserify which is a dependency in the newest version of botframework-connector uses browserify-sign which uses another package elliptic which, in turn uses hash.js. The use of the package hash.js violates Microsoft policy for the use approved crypto libraries.
We have received a security alert for having this module in our package-lock, and after investigating, it turns out that we get it from botframework-connector. We kindly ask that this module is either removed or that an investigation is opened to verify that no code flows into any of the functionality of hash.js.
The text was updated successfully, but these errors were encountered:
The library
crypto-browserifywhich is a dependency in the newest version ofbotframework-connectorusesbrowserify-signwhich uses another packageellipticwhich, in turn useshash.js. The use of the packagehash.jsviolates Microsoft policy for the use approved crypto libraries.We have received a security alert for having this module in our package-lock, and after investigating, it turns out that we get it from
botframework-connector. We kindly ask that this module is either removed or that an investigation is opened to verify that no code flows into any of the functionality ofhash.js.The text was updated successfully, but these errors were encountered: