elliptic — “Uses a Cryptographic Primitive with a Risky Implementation” (GHSA-848j-6mx2-7j84)
The dependency chain is:
@meteorjs/rspack → node-polyfill-webpack-plugin → node-stdlib-browser → crypto-browserify → browserify-sign / create-ecdh → elliptic
This is deep in the @meteorjs/rspack build toolchain — not runtime code that ships to users. The suggested fix (npm audit fix --force) would downgrade @meteorjs/rspack from
1.0.2 to 0.0.65, which is a breaking change and not worth it. This needs to be fixed upstream in @meteorjs/rspack.
The issue is already well-tracked across the ecosystem. Here’s the situation:
No fix exists upstream. The root cause is in elliptic (all versions through 6.6.1), and the maintainer hasn’t responded to CVE-2025-14505.
Existing open issues:
- indutny/elliptic #344 — CVE-2025-14505 reported, 6 comments, no maintainer response
- node-polyfill-webpack-plugin #54 and #60 — both report this exact dependency chain
- crypto-browserify #255 — references GHSA-848j-6mx2-7j84
@meteorjs/rspack has no public GitHub repo, so there’s nowhere to file an issue specifically against it.