Known vulnerability for @meteor/rspack dependency and maintainer doesn't respond

a4xrbj1 · April 4, 2026, 3:31pm

elliptic — “Uses a Cryptographic Primitive with a Risky Implementation” (GHSA-848j-6mx2-7j84)

The dependency chain is:
@meteorjs/rspack → node-polyfill-webpack-plugin → node-stdlib-browser → crypto-browserify → browserify-sign / create-ecdh → elliptic

This is deep in the @meteorjs/rspack build toolchain — not runtime code that ships to users. The suggested fix (npm audit fix --force) would downgrade @meteorjs/rspack from
1.0.2 to 0.0.65, which is a breaking change and not worth it. This needs to be fixed upstream in @meteorjs/rspack.

The issue is already well-tracked across the ecosystem. Here’s the situation:

No fix exists upstream. The root cause is in elliptic (all versions through 6.6.1), and the maintainer hasn’t responded to CVE-2025-14505.

Existing open issues:

indutny/elliptic #344 — CVE-2025-14505 reported, 6 comments, no maintainer response
node-polyfill-webpack-plugin #54 and #60 — both report this exact dependency chain
crypto-browserify #255 — references GHSA-848j-6mx2-7j84

@meteorjs/rspack has no public GitHub repo, so there’s nowhere to file an issue specifically against it.

@nachocodoner

nachocodoner · April 4, 2026, 7:46pm

Thank you for this report. The issue is well described, and it’s true that the elliptic maintainers haven’t provided a fix:

Because of that, downstream dependents can’t act directly on it, though they could provide a fallback and get rid of this vulnerable dependency:

That said, in the Meteor-Rspack context, node-polyfill-webpack-plugin (which pulls in crypto-browserify → elliptic) is only used for test client builds (isTest && isClient). It is not part of the production client bundle. In normal/production builds, @meteorjs/rspack uses a restrictive allowlist and explicitly sets crypto to false. So crypto-browserify and elliptic are never bundled into apps that ship to users as far as I understand.

However, it’s true that npm audit fix --force would downgrade @meteorjs/rspack to 0.0.65, which is a breaking change, and requires attention. We’ll look into removing node-polyfill-webpack-plugin entirely in favor of importing only the needed polyfills directly, excluding crypto-browserify from the dependency tree altogether. Modern browsers already support the Web Crypto API natively, so polyfilling crypto on the client side is largely unnecessary. I will verify that next week.

@meteorjs/rspack has no public GitHub repo, so there’s nowhere to file an issue specifically against it.

By the way, the @meteorjs/rspack npm package lives in meteor/meteor#npm-packages/meteor-rspack, feel free to file an issue there so we can track it.

I will also take the chance to update the @meteorjs/rspack metadata so it properly states the repository where it lives. It is fully public, and other contributors have already provided fixes for it as part of meteor/meteor.

xet7 · April 4, 2026, 8:33pm

I just found this forum post, after adding this issue:

github.com/meteor/meteor

npm fix --force downgrades rspack and breaks builds

opened 08:17PM - 04 Apr 26 UTC

xet7

## Elliptic is already overridden and fixed, but npm audit does not recognize th…at. ``` $ npm list elliptic wekan@v8.54.0 /home/wekan/repos/wekan └─┬ @meteorjs/rspack@1.0.2 └─┬ node-polyfill-webpack-plugin@4.1.0 └─┬ node-stdlib-browser@1.3.1 └─┬ crypto-browserify@3.12.1 ├─┬ browserify-sign@4.2.5 │ └── elliptic@6.6.1 overridden └─┬ create-ecdh@4.0.4 └── elliptic@6.6.1 deduped ``` ## npm audit ``` $ git clone https://github.com/wekan/wekan $ cd wekan $ npm audit # npm audit report elliptic * Elliptic Uses a Cryptographic Primitive with a Risky Implementation - https://github.com/advisories/GHSA-848j-6mx2-7j84 fix available via `npm audit fix --force` Will install @meteorjs/rspack@0.0.65, which is a breaking change node_modules/elliptic browserify-sign >=2.4.0 Depends on vulnerable versions of elliptic node_modules/browserify-sign crypto-browserify >=3.4.0 Depends on vulnerable versions of browserify-sign Depends on vulnerable versions of create-ecdh node_modules/crypto-browserify node-stdlib-browser * Depends on vulnerable versions of crypto-browserify node_modules/node-stdlib-browser node-polyfill-webpack-plugin >=4.1.0 Depends on vulnerable versions of node-stdlib-browser node_modules/node-polyfill-webpack-plugin @meteorjs/rspack >=0.0.66 Depends on vulnerable versions of node-polyfill-webpack-plugin node_modules/@meteorjs/rspack create-ecdh * Depends on vulnerable versions of elliptic node_modules/create-ecdh 7 low severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force ```

xet7 · April 4, 2026, 8:43pm

Related to what is mentioned at Known vulnerability for @meteor/rspack dependency and maintainer doesn't respond by a4xrbj1

Newest source code not available

NPM package does not list source code repo, where would be these newest versions:

Version	Downloads (Last 7 Days)	Tag
1.0.2	600	latest
1.1.0-beta.34	120	beta

https://www.npmjs.com/package/@meteorjs/rspack?activeTab=versions

Meteor repo is not the correct upstream repo

Meteor repo is not the correct upstream, there is old version:

  "name": "@meteorjs/rspack",
  "version": "1.0.1",

github.com

meteor/meteor/blob/devel/npm-packages/meteor-rspack/package.json#L3


      
          {
            "name": "@meteorjs/rspack",
            "version": "1.0.1",
            "description": "Configuration logic for using Rspack in Meteor projects",
            "main": "index.js",
            "type": "commonjs",
            "author": "",
            "license": "ISC",
            "dependencies": {
              "fast-deep-equal": "^3.1.3",
              "ignore-loader": "^0.1.2",
              "node-polyfill-webpack-plugin": "^4.1.0",
              "webpack-merge": "^6.0.1"

nachocodoner · April 4, 2026, 8:58pm

Yeah, 1.0.2 and 1.0.1 are effectively the same. I needed to publish a quick patch because I had marked a beta version as the latest @meteorjs/rspack release and any user was getting that one. It seems I forgot to push the file change for the 1.0.2 version bump. Sorry.