Closed kachkaev closed 3 years ago
+1 to @kachkaev 's ask. Waiting on the same. It would be great if we could get reply on the same from the team as well.
+1 to @kachkaev 's ask. Waiting on the same
+1
cc/ @jfromaniello
There is a pull request already from @dependabot https://github.com/jfromaniello/selfsigned/pull/42
Would be great if a team member can check it
This one is better because it is more permissive. Dependabot fixes to 0.10.0
but this would allow clients to use 0.10.1
, 0.10.2
, etc..
Any estimate on merging this and creating a new release?
This is now causing issues in create-react-app. https://github.com/facebook/create-react-app/issues/9599
@jfromaniello 🤔
This is a problem for webpack-dev-server too. Latest releases of webpack-dev-server depend on selfsigned ^1.10.7
.
Latest selfsigned depends on node-forge 0.9.0
-- only allowing 0.9.0 exactly. node-forge 0.9.0 has a CVE out: https://github.com/advisories/GHSA-92xj-mqp7-vmcj
Large numbers of projects are stuck depending on a version of node-forge with a CVE, until a selfsigned release is made fixing this, or other dependencies stop using selfsigned. Automatic dependency vulnerability checkers, such as github's dependabot, are currently flagging large numbers of projects as to this vulnerability -- which these projects have no way to fix.
It would be good to get some feedback from any maintainer(s) of selfsigned
as to whether a selfsigned release is likely...
@jfromaniello for president! :smile:
👋
It'd be great if a new version of
selfsigned
could be released withnode-forge
bumped to^0.10.0
. See https://nvd.nist.gov/vuln/detail/CVE-2020-7720It'd be also great for the new release to be non-breaking if possible to allow the users of
web-pack-dev-server
to upgrade without fiddling withresolutions
or waiting for a new release ofweb-pack-dev-server
. Itspackage.json
refers to^1.10.7
, so both^1.11.0
and^1.10.8
would match the range.