Security concern – Crypto-browserify dependency on vulnerable elliptic package

[vkb-stack]

Hi Team,

I’d like to report a security concern regarding crypto-browserify. The package currently depends on elliptic, which has a known critical vulnerability in its elliptic curve cryptography implementation.

Affected dependency: elliptic

Package: elliptic

Severity: Critical

Impact: Potential compromise of cryptographic strength

Details:GHSA-6p4c-r453-8743: PuTTY

Could you please review this dependency and update it to a secure version or recommend a mitigation path?

Thank you for maintaining this project and your support in addressing this issue.

[ljharb]

I think you linked to the wrong GHSA - that's about putty, not this package.

[vkb-stack]

crypto-browserify has transitive dependency on elliptic@6.6.0 ..the below dependency is using elliptic
1.browserify-sign
2.create-ecdh

As there there is no elliptic version without high vulnerablity. Can you please suggest how should we mitigate this issue..Will there be any updated crypto-browserify version which doesn't have dependency on elliptic.?
Thanks for all your support