Fix vulnerabilities (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773)

Question

Fix vulnerabilities (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773)

jungdaniel opened this issue 3 years ago · 2 comments

node-forge@1.2.0 seems to contain vulnerabilities.

More details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Issues were addressed in node-forge@1.3.0.

Answer 1 · 2022-03-25T18:36:50.000Z

This library depends on ^1.2 which means all 1s. This change is not necessary I think

» npm i selfsigned --save

added 2 packages, and audited 3 packages in 1s

found 0 vulnerabilities

» cat package-lock.json | jq '.packages."node_modules/node-forge".version'
"1.3.0"

Answer 2 · 2022-03-25T18:45:31.000Z

Anyway, I just updated the package-lock.json and removed the .2 from the package.json