Bumps sshpk from 1.10.1 to 1.15.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **Moderate severity vulnerability that affects sshpk**
> The sshpk NPM package is vulnerable to ReDoS when parsing crafted invalid public keys.
>
> Affected versions: < 1.13.2
*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/fc393f9f-282f-4bc9-953b-d7e4b48352e9).*
> **CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')**
> The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
>
> Affected versions: <1.14.1
*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/401.json).*
> **Denial of Service**
> `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys
>
> Affected versions: <=1.13.1
Release notes
*Sourced from [sshpk's releases](https://github.com/joyent/node-sshpk/releases).*
> ## v1.14.1
> * Remove all remaining usage of jodid25519 (abandoned dep)
> * Add support for DNSSEC key format
> * Add support for Ed25519 keys in PEM format (according to draft-curdle-pkix)
> * Fixes for X.509 encoding issues (asn.1 NULLs in RSA certs, cert string type mangling)
> * Performance issues parsing long SSH public keys
>
> ## v1.13.0
> * Support SSH-format rsa-sha2-256 signatures (e.g. so the SSH agent can sign using RSA-SHA256)
>
> ## v1.12.0
> * Support for generating ECDSA keys using `generatePrivateKey()`
> * Minimum for `sshpk-agent` to be able to sign new certificates using an agent key
>
> ## v1.11.0
> * Added support for X.509 extKeyUsage
Commits
- See full diff in [compare view](https://github.com/joyent/node-sshpk/commits/v1.15.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps sshpk from 1.10.1 to 1.15.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects sshpk** > The sshpk NPM package is vulnerable to ReDoS when parsing crafted invalid public keys. > > Affected versions: < 1.13.2 *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/fc393f9f-282f-4bc9-953b-d7e4b48352e9).* > **CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')** > The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended. > > Affected versions: <1.14.1 *Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/401.json).* > **Denial of Service** > `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys > > Affected versions: <=1.13.1Release notes
*Sourced from [sshpk's releases](https://github.com/joyent/node-sshpk/releases).* > ## v1.14.1 > * Remove all remaining usage of jodid25519 (abandoned dep) > * Add support for DNSSEC key format > * Add support for Ed25519 keys in PEM format (according to draft-curdle-pkix) > * Fixes for X.509 encoding issues (asn.1 NULLs in RSA certs, cert string type mangling) > * Performance issues parsing long SSH public keys > > ## v1.13.0 > * Support SSH-format rsa-sha2-256 signatures (e.g. so the SSH agent can sign using RSA-SHA256) > > ## v1.12.0 > * Support for generating ECDSA keys using `generatePrivateKey()` > * Minimum for `sshpk-agent` to be able to sign new certificates using an agent key > > ## v1.11.0 > * Added support for X.509 extKeyUsageCommits
- See full diff in [compare view](https://github.com/joyent/node-sshpk/commits/v1.15.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.