Remove unused dependencies #166326
Description
Remove Node.js polyfills still present after webpack 5 upgrade
Problem
Webpack 5 upgrade (PR #158878) kept vulnerable polyfills as dependencies:
- cipher-base@1.0.4 (CVE-2025-9287)
- pbkdf2@3.1.2 (CVE-2025-6545, CVE-2025-6547)
- sha.js@2.4.11 (CVE-2025-9288)
- browserify-sign@4.2.1 (CVE-2023-46234)
Solution
Remove polyfills - analysis shows they're not needed, but need to be explicitly removed:
webpack (direct dependency in cluster-ui & db-console)
└─> node-libs-browser
└─> crypto-browserify
├─> cipher-base
├─> pbkdf2
├─> sha.js
├─> browserify-sign
│ └─> elliptic
│ └─> bn.js
└─> create-ecdh
└─> elliptic
In webpack config:
fallback: {
...
crypto: false,
...
}
Jira issue: CRDB-61856