Vulnerability in node-forge 0.9.0
kachkaev opened this issue ยท 12 comments
๐
It'd be great if a new version of selfsigned could be released with node-forge bumped to ^0.10.0. See https://nvd.nist.gov/vuln/detail/CVE-2020-7720
It'd be also great for the new release to be non-breaking if possible to allow the users of web-pack-dev-server to upgrade without fiddling with resolutions or waiting for a new release of web-pack-dev-server. Its package.json refers to ^1.10.7, so both ^1.11.0 and ^1.10.8 would match the range.
+1 to @kachkaev 's ask. Waiting on the same. It would be great if we could get reply on the same from the team as well.
+1 to @kachkaev 's ask. Waiting on the same
+1
cc/ @jfromaniello
There is a pull request already from @dependabot #42
Would be great if a team member can check it
This one is better because it is more permissive. Dependabot fixes to 0.10.0 but this would allow clients to use 0.10.1, 0.10.2, etc..
Any estimate on merging this and creating a new release?
This is now causing issues in create-react-app. facebook/create-react-app#9599
@jfromaniello ๐ค
This is a problem for webpack-dev-server too. Latest releases of webpack-dev-server depend on selfsigned ^1.10.7.
Latest selfsigned depends on node-forge 0.9.0 -- only allowing 0.9.0 exactly. node-forge 0.9.0 has a CVE out: GHSA-92xj-mqp7-vmcj
Large numbers of projects are stuck depending on a version of node-forge with a CVE, until a selfsigned release is made fixing this, or other dependencies stop using selfsigned. Automatic dependency vulnerability checkers, such as github's dependabot, are currently flagging large numbers of projects as to this vulnerability -- which these projects have no way to fix.
It would be good to get some feedback from any maintainer(s) of selfsigned as to whether a selfsigned release is likely...
@jfromaniello for president! ๐