Vulnerability in node-forge 0.9.0

jfromaniello / selfsigned

Generate self-signed certificates from node.js

MIT License

237 stars 53 forks source link

Vulnerability in node-forge 0.9.0 #41

Closed kachkaev closed 3 years ago

kachkaev commented 4 years ago

👋

It'd be great if a new version of selfsigned could be released with node-forge bumped to ^0.10.0. See https://nvd.nist.gov/vuln/detail/CVE-2020-7720

It'd be also great for the new release to be non-breaking if possible to allow the users of web-pack-dev-server to upgrade without fiddling with resolutions or waiting for a new release of web-pack-dev-server. Its package.json refers to ^1.10.7, so both ^1.11.0 and ^1.10.8 would match the range.

neharica commented 4 years ago

+1 to @kachkaev 's ask. Waiting on the same. It would be great if we could get reply on the same from the team as well.

dfhelloworld commented 4 years ago

+1 to @kachkaev 's ask. Waiting on the same

SymbioticKilla commented 4 years ago

lucascaton commented 4 years ago

cc/ @jfromaniello

dilumn commented 4 years ago

There is a pull request already from @dependabot https://github.com/jfromaniello/selfsigned/pull/42

Would be great if a team member can check it

ghost commented 4 years ago

This one is better because it is more permissive. Dependabot fixes to 0.10.0 but this would allow clients to use 0.10.1, 0.10.2, etc..

mwikblom commented 4 years ago

Any estimate on merging this and creating a new release?

Aashishkmr commented 4 years ago

This is now causing issues in create-react-app. https://github.com/facebook/create-react-app/issues/9599

afuno commented 4 years ago

@jfromaniello 🤔

jrochkind commented 4 years ago

This is a problem for webpack-dev-server too. Latest releases of webpack-dev-server depend on selfsigned ^1.10.7.

Latest selfsigned depends on node-forge 0.9.0 -- only allowing 0.9.0 exactly. node-forge 0.9.0 has a CVE out: https://github.com/advisories/GHSA-92xj-mqp7-vmcj

Large numbers of projects are stuck depending on a version of node-forge with a CVE, until a selfsigned release is made fixing this, or other dependencies stop using selfsigned. Automatic dependency vulnerability checkers, such as github's dependabot, are currently flagging large numbers of projects as to this vulnerability -- which these projects have no way to fix.

It would be good to get some feedback from any maintainer(s) of selfsigned as to whether a selfsigned release is likely...

alexander-akait commented 4 years ago

Fixed https://github.com/jfromaniello/selfsigned/releases/tag/v1.10.8

janosrusiczki commented 4 years ago

@jfromaniello for president! :smile: