From baf37d36b7616b1cabbba64994c02aa6e12e5d7d Mon Sep 17 00:00:00 2001
From: Jocelyn van Heerde <jocelyn@paystack.com>
Date: Tue, 31 Mar 2026 09:24:56 +0200
Subject: [PATCH] SEC: Pin crypto-js to exact version

Pin crypto-js dependency to prevent npm/yarn from resolving to
compromised version 4.2.1. Removes caret (^) range prefix
to lock the dependency at the currently specified safe version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 0bc1d42..7cc429f 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
     "chance": "^1.1.6",
     "color-contrast": "0.0.1",
     "colorthief": "^2.3.0",
-    "crypto-js": "^4.0.0",
+    "crypto-js": "4.0.0",
     "dotenv": "^8.1.0",
     "express": "^4.16.4",
     "helmet": "^4.0.0",