Closed Mister-Hope closed 2 years ago
Thanks for the quick action on this! 🎉
Seems to me like v1.10.14 is vulnerable again, as the associated commit (https://github.com/jfromaniello/selfsigned/commit/499c12eb0c2c53418d6d54622a7ce4e9f820c65e) is based on v1.10.12 instead of on v1.10.13 for some reason.
Could you please create a version v1.10.15, as npm update selfsigned
currently leads to v1.10.14 which still holds the vulnerable version of node-forge@^0.10.0?
Temporary workaround:
Run npm install selfsigned@1.10.13
and npm uninstall selfsigned
(as I don't have a direct dependency on selfsigned)
Seems to me like v1.10.14 is vulnerable again, as the associated commit (499c12e) is based on v1.10.12 instead of on v1.10.13 for some reason.
Could you please create a version v1.10.15, as
npm update selfsigned
currently leads to v1.10.14 which still holds the vulnerable version of node-forge@^0.10.0?Temporary workaround: Run
npm install selfsigned@1.10.13
andnpm uninstall selfsigned
(as I don't have a direct dependency on selfsigned)
Update to the version ^2.0.0
Update to the version ^2.0.0
That doesn't work that easy, I am using version 4 of @vue/cli-service
(v5
isn't released yet) which requires webpack-dev-server@^3.11.0
which requires selfsigned@^1.10.8
. Therefore I can't upgrade to ^2.0.0
.
vue cli 4 is used by a lot of people and from what I can tell from other issues it seems like the vue cli team is focussing on vue cli 5 and not that invested into vue cli 4 anymore. I don't think they will invest time to update to a new major release of webpack-dev-server
.
Just found https://github.com/jfromaniello/selfsigned/pull/49#issuecomment-1010012284:
I had to publish a new patch
v1.10.14
which is the same thanv1.10.12
because the updated version of node-forget breaks with node < 10.This fix has been realeased as a major version
v2.0.0
, I also introduced engines node >= 10 rule.
Using v1.10.13
works fine for me now. Though, it seems like - as this is a breaking change - it should be handled by the relevant downstream projects. Hope that @vue/cli-service@v5
is out soon, with the fix.
Any new version plan?