Vulnerability in pbkdf dependency

[hughie-ada]

The vulnerability is pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos, advisory here. This affects all versions below 3.1.3. The most recent version of crypto-browserify (3.12.1) uses pbkdf v3.1.2.

[ljharb]

Incorrect; it uses a semver range that includes the patched version. It’s always up to end users to update their own lockfiles when a fix is in range - no change is needed here.