search

jfromaniello / selfsigned

Generate self-signed certificates from node.js
MIT License
237 stars 53 forks source link

node-forge@^0.10.0 is vulnerable #48

Closed Mister-Hope closed 2 years ago

Mister-Hope commented 2 years ago

Any new version plan?

zac-jacobson commented 2 years ago

Thanks for the quick action on this! 🎉

jojomatik commented 2 years ago

Seems to me like v1.10.14 is vulnerable again, as the associated commit (https://github.com/jfromaniello/selfsigned/commit/499c12eb0c2c53418d6d54622a7ce4e9f820c65e) is based on v1.10.12 instead of on v1.10.13 for some reason.

Could you please create a version v1.10.15, as npm update selfsigned currently leads to v1.10.14 which still holds the vulnerable version of node-forge@^0.10.0?

Temporary workaround: Run npm install selfsigned@1.10.13 and npm uninstall selfsigned (as I don't have a direct dependency on selfsigned)

Halfi commented 2 years ago

Seems to me like v1.10.14 is vulnerable again, as the associated commit (499c12e) is based on v1.10.12 instead of on v1.10.13 for some reason.

Could you please create a version v1.10.15, as npm update selfsigned currently leads to v1.10.14 which still holds the vulnerable version of node-forge@^0.10.0?

Temporary workaround: Run npm install selfsigned@1.10.13 and npm uninstall selfsigned (as I don't have a direct dependency on selfsigned)

Update to the version ^2.0.0

jojomatik commented 2 years ago

Update to the version ^2.0.0

That doesn't work that easy, I am using version 4 of @vue/cli-service (v5 isn't released yet) which requires webpack-dev-server@^3.11.0 which requires selfsigned@^1.10.8. Therefore I can't upgrade to ^2.0.0.

vue cli 4 is used by a lot of people and from what I can tell from other issues it seems like the vue cli team is focussing on vue cli 5 and not that invested into vue cli 4 anymore. I don't think they will invest time to update to a new major release of webpack-dev-server.

jojomatik commented 2 years ago

Just found https://github.com/jfromaniello/selfsigned/pull/49#issuecomment-1010012284:

I had to publish a new patch v1.10.14 which is the same than v1.10.12 because the updated version of node-forget breaks with node < 10.

This fix has been realeased as a major version v2.0.0, I also introduced engines node >= 10 rule.

Using v1.10.13 works fine for me now. Though, it seems like - as this is a breaking change - it should be handled by the relevant downstream projects. Hope that @vue/cli-service@v5 is out soon, with the fix.