Skip to content

fix: bump pbkdf2 to >=3.1.3 (CVE-2025-6547, CVE-2025-6545)#10

Open
persimmon16 wants to merge 1 commit intomainfrom
fix/CVE-2025-6547-CVE-2025-6545-pbkdf2
Open

fix: bump pbkdf2 to >=3.1.3 (CVE-2025-6547, CVE-2025-6545)#10
persimmon16 wants to merge 1 commit intomainfrom
fix/CVE-2025-6547-CVE-2025-6545-pbkdf2

Conversation

@persimmon16
Copy link
Copy Markdown

@persimmon16 persimmon16 commented Mar 27, 2026

Summary

  • Adds a resolutions field to the root package.json to force pbkdf2 to >=3.1.3 across all Yarn workspaces
  • Remediates CVE-2025-6547 and CVE-2025-6545 (CVSS 9.1) in pbkdf2@3.1.2, a transitive production dependency
  • Resolved version: 3.1.5

Details

pbkdf2 is pulled in transitively by several packages (crypto-browserify, ethereum libraries, etc.). Since no direct dependency update can resolve this, a Yarn resolution override is the appropriate fix.

Test plan

  • Verify yarn install completes successfully
  • Verify yarn.lock no longer contains pbkdf2@3.1.2
  • Run existing test suite to confirm no regressions

@persimmon16
fix: bump pbkdf2 to >=3.1.3 (CVE-2025-6547, CVE-2025-6545)
7c3862e 
Add yarn resolutions to force pbkdf2 to >=3.1.3 across all workspaces,
remediating CVE-2025-6547 and CVE-2025-6545 (CVSS 9.1). The vulnerable
version 3.1.2 was a transitive production dependency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@persimmon16