Issue: Update dependency on crypto-js in hashconnect

[adjuric-symphony]

Description

We currently use hashconnect version 0.2.9 (latest version is still beta), which has a peer dependency on crypto-js version 4.1.1. This version has critical vulnerabilities, and while we attempted to update to crypto-js version 4.2.0, we encountered the following error:

Uncaught (in promise) Error: Invalid encrypted text received. Decryption halted.
    at SimpleCrypto3._decrypt (hashconnect.js?v=12f064f6:6815:19)
    at SimpleCrypto3.decrypt (hashconnect.js?v=12f064f6:6856:25)
    at MessageUtil.decrypt (hashconnect.js?v=12f064f6:7418:29)
    at MessageUtil.decode (hashconnect.js?v=12f064f6:7395:31)
    at Object.callback (hashconnect.js?v=12f064f6:7820:43)
    at Event4.emit (hashconnect.js?v=12f064f6:116:20)
    at WebSocketRelay.processMessage (hashconnect.js?v=12f064f6:6931:18)
    at socket.onmessage (hashconnect.js?v=12f064f6:6979:12)

Expected Behavior

Updating crypto-js to version 4.2.0 should not break the decryption functionality in hashconnect.

Actual Behavior

When using the updated crypto-js, decryption fails with an "Invalid encrypted text" error.

Proposed Solution

Please investigate the compatibility issues between hashconnect and the newer version of crypto-js. Updating to the latest version should resolve the vulnerabilities and maintain functionality.

Summary of Vulnerabilities in crypto-js

Weaknesses in PBKDF2 Implementation:

• Low Iteration Count: Defaults to a single iteration, drastically reducing security (1,000 times weaker than originally specified, 1,300,000 times weaker than current standards).
• Insecure Hash Algorithm: Uses SHA-1, which has been considered insecure since 2005.

Potential Impacts:

• High risk for password protection and digital signatures.
• Attackers can create collisions or forge signatures using known prefixes, compromising confidentiality.
• Affected Versions: All versions are impacted; the issue has existed since the library's inception.