GMS-2020-424: Insufficient Entropy in parsel

September 4, 2020 (updated October 4, 2021)

All versions of parsel use an insecure key derivation function. The package runs keys of arbitrary lengths through one round of SHA256 hashing for key stretching. This allows for the use of keys of insufficient entropy with inappropriate key stretching. The package is deprecated and will not be updated. Consider using an alternative package.

References

github.com/advisories/GHSA-vjvw-wcmw-pr26
www.npmjs.com/advisories/1462

Code Behaviors & Features

Detect and mitigate GMS-2020-424 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →