A high severity vulnerability introduced in your package

[paimon0715]

Hi ,@JustinBeckwith, I’d like to report a high severity vulnerability in your package google-p12-pem:

Issue Description

A vulnerability CVE-2020-7720 (high severity) detected in package node-forge<0.10.0 is directly referenced by google-p12-pem@2.0.4 and @1.0.4. We noticed that such a vulnerability has been removed since google-p12-pem@3.0.3.

However, google-p12-pem's popular previous versions google-p12-pem@2.0.4 (428,436 downloads per week) and google-p12-pem@1.0.4 (464,605 downloads per week) are still transitively referenced by a large amount of latest versions of active and popular downstream projects.Taking google-p12-pem@2.0.4 as an example ,there are about 1,260 downstream projects, e.g., @blossm/cli 0.0.1837, psi 4.1.0, @sentrei/common 1.131.0, @firebaseextensions/firestore-bigquery-change-tracker 1.1.12, @sentrei/web 1.131.0, @blossm/cli@0.0.1837, @fonos/sdk@0.1.8-alpha.0, botium-connector-google-assistant@0.0.8, etc.. As such, issue CVE-2020-7720 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade google-p12-pem from version 2.0.4 or 1.0.4 to 3.*.* . For instance, google-p12-pem@2.0.4 and @1.0.4 are introduced into the above projects via the following package dependency paths: (1) @blossm/cli@0.0.1837 ➔ @blossm/gcp-secret@0.0.55 ➔ @blossm/gcp-storage@0.0.11 ➔ @google-cloud/storage@3.5.0 ➔ @google-cloud/common@2.4.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2 (2) @fonos/sdk@0.1.8-alpha.0 ➔ @fonos/funcs@0.1.8-alpha.0 ➔ container-image-builder@3.2.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2 (3) botium-connector-google-assistant@0.0.8 ➔ actions-on-google-testing@0.4.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2 (4) @backstage/plugin-techdocs-backend@0.8.6 ➔ @backstage/techdocs-common@0.6.7 ➔ pkgcloud@2.2.0 ➔ @google-cloud/storage@2.5.0 ➔ @google-cloud/common@0.32.1 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5 (5) @backstage/techdocs-common@0.6.7 ➔ pkgcloud@2.2.0 ➔ @google-cloud/storage@2.5.0 ➔ @google-cloud/common@0.32.1 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5 ......

The projects such as @blossm/gcp-storage, container-image-builder, actions-on-google-testing and pkgcloud etc. which introduced google-p12-pem@2.0.4 or @1.0.4, are not maintained anymore. These unmaintained packages can neither upgrade google-p12-pem nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from packages google-p12-pem@2.0.4 and @1.0.4?

Suggested Solution

Since these unactive projects set a version constaint ~2.0. or ~1.0. for google-p12-pem on the vulnerable dependency paths, if google-p12-pem removes the vulnerability from @2.0.4 and @1.0.4 and releases new patched versions google-p12-pem@2.0.5 and google-p12-pem@1.0.5, such a vulnerability patch can be automatically propagated into the affected downstream projects.

In google-p12-pem@2.0.5, you can kindly try to perform the following upgrade: node-forge ^0.9.0 ➔ ^0.10.0;
Note: node-forge@0.10.0 (>=0.10.0) has fixed the vulnerability CVE-2020-7720

In google-p12-pem@1.0.5, you can kindly try to perform the following upgrade: node-forge ^0.8.0 ➔ ^0.10.0;
Note: node-forge@0.10.0 (>=0.10.0) has fixed the vulnerability CVE-2020-7720

Thank you for your contributions.

Sincerely yours, Paimon

[JustinBeckwith]

@paimon0715 thanks! Is this an automated report? For security issues, in the future, please have a look at our security policy and reporting guidelines: https://github.com/googleapis/google-p12-pem/blob/master/SECURITY.md

[paimon0715]

@JustinBeckwith This is not a bot.

Thank you so much for your help! @chingor13 @JustinBeckwith

[chingor13]

We backported the dependency bump into 1.0.5 and 2.0.5 and released them to npm.