Closed blockguardian closed 2 years ago
The is the same issue reported in #500, although I appreciate this is specifically calling out the issue in the v1.4 release.
As mentioned in the other issue, this vulnerability relates to RSA signature validation, and the Node SDK does not deal with RSA signatures so this should not impact the Node SDK. Additionally, the v1.4 release is not beyond its support window. See the LTS release strategy: https://hyperledger.github.io/fabric-rfcs/text/0005-lts-release-strategy.html
If a fix for #500 can be easily cherry-picked back to the release-1.4 branch, we can back-port that fix once it's ready. If it requires a significant amount of rework, that may not be practical and it would be up to community contribution to deliver any fix to v1.4.
@bestbeforetoday I'm working on it. Can you please assign it to me?
@bestbeforetoday we had given a PR for main branch for this issue and that was merged but the changes for v1.4 will be different.
Here we have observed that both package.json
and package-lock.json
files are present in the code but in main branch we have just package.json
. Is there any specific reason why are we maintaining in 1.4 but not in main?
Also we are facing difficulty in manually updating the package jsrsasign
. is there any procedure which we need to follow while updating the package in v1.4?
The package-lock.json
files were removed in later branches when we began to see issues running builds with multiple different Node versions using the same (checked in) package lock files. If it helps to get changes delivered, I would be happy for you to remove the package lock files in the release-1.4
branch too, and then prevent them from being accidentally re-added using .gitignore
entries.
I don't recall anything special that needs to be done to update the jsrsasign dependency. It should just be a case of updating the appropriate package.json
files. But you might need to delete your local package-lock.json
and perhaps also node_modules
directories before re-running npm install
to be really sure any previous dependency versions are not left hanging around.
Thanks @bestbeforetoday . We'll try this and proceed accordingly.
How to reproduce: Switch to branch "release-1.4" and then run
npm audit