[Snyk] Security upgrade jsrsasign from 8.0.24 to 11.1.1

[revan-zhang]

Snyk has created this PR to fix 6 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• libs/combined/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Missing Cryptographic Step SNYK-JS-JSRSASIGN-15370941	745
	Improper Verification of Cryptographic Signature SNYK-JS-JSRSASIGN-15370940	730
	Infinite loop SNYK-JS-JSRSASIGN-15370938	710
	Incorrect Conversion between Numeric Types SNYK-JS-JSRSASIGN-15371175	710
	Incomplete Comparison with Missing Factors SNYK-JS-JSRSASIGN-15370939	665
	Division by zero SNYK-JS-JSRSASIGN-15371176	530

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

---

Note

Medium Risk
Upgrades a cryptography dependency across a major version, which could introduce subtle behavioral/compatibility changes in any signing/verification usage despite being a targeted dependency-only change.

Overview
Updates libs/combined/package.json to upgrade jsrsasign from ^8.x to ^11.1.1 as a security remediation, leaving the rest of the dependency set unchanged.

^{Written by Cursor Bugbot for commit 2a48161. This will update automatically on new commits. Configure here.}

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 package-lock.json not updated to match new jsrsasign version range

The package.json bumps jsrsasign from ^8.0.19 to ^11.1.1, but libs/combined/package-lock.json still pins jsrsasign to version 8.0.24 (libs/combined/package-lock.json:5061-5064). Version 8.0.24 does not satisfy the new ^11.1.1 range (different major version). This means npm ci will fail due to the mismatch between package.json and package-lock.json, and the security fix this PR intends to deliver will not actually be installed in reproducible builds.

Prompt for agents

Run `npm install` (or `npm i`) inside the libs/combined directory to regenerate the package-lock.json file so that it resolves jsrsasign to a version satisfying ^11.1.1. Then commit the updated libs/combined/package-lock.json alongside the package.json change. Without this, `npm ci` will fail and the intended version upgrade will not take effect.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Lock file not updated, security fix ineffective

High Severity

The package-lock.json was not updated alongside this package.json change. The lockfile still pins jsrsasign at 8.0.24 (the vulnerable version), so npm ci will either fail due to the mismatch or continue installing the vulnerable version. Additionally, jsrsasign is not directly imported in index.js — it's only consumed as a transitive dependency of elastos-wallet-js, which requires ^8.0.12. Since ^11.1.1 doesn't satisfy ^8.0.12, npm will still install a vulnerable 8.x copy nested under elastos-wallet-js, meaning the security fix does not actually protect the code that uses the library.