fix: update sha.js to ^2.4.12 to address CVE-2025-9288

[fglsn]

• Bumps sha.js from ^2.4.11 to ^2.4.12
• Fixes security vulnerability where missing input type checks could lead to hash state rewind and value miscalculation
• CVE-2025-9288: GHSA-95m3-7q98-8xr5

[ljharb]

There is never a need for PRs like this - all you need to do is update your lockfile.

[gausie]

Is it not useful to have these updates in place for when a new version should be released?

[ljharb]

Nope! not at all. Whenever I do a new release, I always update deps beforehand. It's basically never helpful for a non-maintainer to update in-range dependencies, on any open source project.

[fglsn]

There is never a need for PRs like this - all you need to do is update your lockfile.

Sorry for the noise then.

The issue is most users get this transitively through other packages, so they can't control the sha.js version directly. Lockfiles may stick with vulnerable 2.4.11 without this change. The idea was that new installations would get the secure version by default.

We'll handle it with overrides on our end.

[ljharb]

You shouldn't need overrides - npm audit fix, or tools like renovate/dependabot, can handle it for you just fine.